SummaryOne of the questions we asked the participants in our recent Security Innovators Throwdown was: Why did you create this product/service? We got what was probably the best answer to that question from Envision Security: "We were consultants and we built the tools that we wish that we had when we were doing risk management." Security Risk Communicator solves several problems in today's compliance-driven environment.
First, everyone in an organization recognizes the importance of managing risk, but when it comes to IT risk nobody wants to pay for it. Here is one place that Security Risk Communicator fits. It analyzes risk in the context of business drivers, something we teach as professionals, but rarely see accomplished. Basically, the solution addresses the financial issues of security risk head-on.
A second real benefit is how the tool communicates. Never in our experience have we seen the types of graphics that this product uses applied to managing risk. For example, the heat map allows users to move risks around based on impact and likelihood. We are used to assigning impact and likelihood figures, but as important as these figures are, they also are the most controversial in the risk analysis process because they can be very subjective.
Using the heat map, analysts can move risks around and the impact and likelihood scores adjust automatically. This conversion from a graphical display to numeric scores - instead of the other way - allows intuitive adjustment of risks and rapid consensus-building, tasks nearly impossible in some political environments if one begins with arbitrarily selected numeric scores.
Another major benefit of the approach of focusing on the financial impact of risk is allocation of financial resources to projects based on risks. Because the whole Security Risk Communicator is designed to answer the question, "What should we spend to mitigate this IT risk?," the focus is less on technology and more on business. It's not that technical issues aren't given their due, it is more that the balance of the risk in the context of the rest of the organization's financial picture is recognized. Analysis is not by individual risk. Rather it is by project or other investment.
Sound like the emerging segment of governance, risk management and compliance (GRC)? "Absolutely not," says Envision. According to the company, GRC focuses on managing risk, workflow, security and the impact on compliance. Their product focuses instead on financial impact. As Envision puts it, Security Risk Communicator takes the output of GRC processes, such as auditing, and helps determine how and where to fund solutions to the problems uncovered. This allows for addressing an extremely important piece of the risk management process: acceptable risk. It allows the organization to hit the notion of appetite for risk head-on at a granular level with real costs associated. This is extremely useful during the IT security budgeting process and most CISOs know it.
Returning to the various displays and tables, this is a very important piece of the risk management process if one thinks of it in the context of financial impacts. Typically, C-level executives do not understand the technical issues that surround managing and measuring IT security risk. Many are the CISOs who have torn what little hair they have left out because "some stupid CFO just doesn't get it." The truth is that the CFO is just as skilled in their field as the CISO is. The CFO simply sees things in the context of the financial survival of the organization. CFOs "get it" to be sure. They just see things differently from many CISOs. That is a very hard lesson for some CISOs to master and this tool helps there.
Security Risk Communicator really does communicate. More important, it can act as a sort of translator between the technical and financial specialists in the organization. It does this through its displays and reports, of course. But it also allows a process of consensus-building that, in turn, allows the two groups to arrive at a mutually acceptable picture. This picture optimally communicates the balance of technology cost with financial benefit. Perhaps for the first time we are able to visualize ROI in a security context.
Security Risk Communicator is software-as-a-service (SaaS) and that may be its one potential drawback. The company is going to need to communicate with equal clarity that the customer's very sensitive information is safe sitting on someone else's server. That, however, is the name of the game today as more and more critical and sensitive information moves into the cloud. We don't see, potentially, any greater risk here than outsourcing sensitive programming tasks to contract programmers in a foreign country 7,000 miles and 12 time zones away.
Product: Security Risk Communicator
Company: Envision Security
Cost: Starts at $12K per year.
The problem it solves: Puts risk management in the financial context where it belongs.
What we liked: The displays and reports really live up to its name.
What we didn't like: This may or may not be an issue (the company recognizes its importance and talks on its website about its encryption, security and availability of a security report), but keeping highly sensitive corporate risk and financial information on a server not controlled by the organization may make some potential users uncomfortable.