A host of security vendors are targeting governance-minded companies with tools for formalising the evaluation and management of cybsersecurity risk across an organisation.
Secureworks, for one, has wrapped its Secureworks Security Maturity Model (SSMM) methodology into a self-assessment tool that helps organisations benchmark the maturity of their cybersecurity processes.
The methodology – which draws on methodologies including NIST and ISO 27001/02 frameworks – scores companies’ capabilities across five cybersecurity domains, comparing their capabilities to the key insights gleaned from examination of outcomes achieved by 4500 of the company’s clients in areas such as risk management, cybersecurity operations, governance, and processes.
“Business executives tell us they’re looking for ways to determine whether their cybersecurity capabilities and investment are in line with their business risk profile,” consulting practice leader Hadi Hosn said in a statement.
“Our recent study suggests that misalignment between security activities and actual risk is common enough to warrant a more pragmatic model that can help organisations both identify those gaps and adjust their security maturity goals accordingly.”
Earlier Secureworks research has identified significant differences between more-mature and less-mature organisations in areas such as the alignment and prioritisation of vulnerability assessments based on business goals; real-time automated security analysis of business partners; use of customised endpoint protection based on user profiles; involvement of both technical and business teams in incident response tabletop sessions; working with industrial relations partners under retainer agreements; and integrating threat indicators and enhancements into security and workflow controls.
The methodology mirrors work by insurer FM Global, which has launched a cyber-resilience assessment tool designed to help evaluate organisational security risk.
Potential insureds can use the 70-question FM Global Cyber Risk Assessment to audit their security controls and get recommendations about proposed mitigations. The scope of the assessment spans physical security, information security, and industrial control and building automation systems.
“Many people think of cyber risk solely as theft of information, but there is a very real physical property component that businesses need to consider,” said Jeff Tilley, FM Global vice president and manager of cyber hazards.
“This comprehensive tool assesses the potential impact of cyber risk beyond an IT perspective and provides recommendations to mitigate against that cyber threat with an overall outcome of improved resilience to protect business revenue, reputation, market share and ultimate viability.”
Adding yet another way to monitor enterprise security risk, NSFOCUS this week debuted its NSFOCUS Exposed Internet Surface Analysis (EISA), a tool that monitors rogue IPs, ports, and services that may be compromised, or present a point of vulnerability within the corporate network.
EISA scans for evidence of malicious activity and automatically generates a risk assessment analysis to guide the company’s mitigation efforts, the company said.
“EISA helps organisations to understand their cyber risk exposure in real-time, allowing IT teams to develop remediation plans and intrusion prevention policies to block further malicious activity,” Asia-Pacific senior vice president Attley Ng said in a statement. “Paired with NSFOCUS Threat Intelligence, EISA reassures and benchmarks each organisation’s cyber risk exposure, allowing them to make better business and technology decisions.”