What is aSecurity Score and Why Do You Need One? [VIDEO]
Every organization needs protection from ever-changing and growing cybersecurity threats.
A security assessment can tell you where your vulnerabilities lie and what can be improved. Randy Anderson, Loffler's IT Professional Services Manager, explains the many options and benefits for security scoring.
Security scores are becoming very prevalent across our industry. If you look at products like Microsoft Office 365 and Microsoft Azure, they have security scoring components built into them. Really what that does is, it's a look at all of the technical settings that are available within those products and a ranking based on the risk that's involved in the certain settings and the benefit that it gives you.
Security scoring is available in a lot of different products, from a lot of different vendors. Here at Loffler, we use a more general security scoring tool called S2SCORE. And S2SCORE, from our partner SecurityStudio, is the new name for what was formerly FISASCORE. This tool takes a holistic look at your environment. We look at administrative controls in your environment, we look at technical controls, both internally and externally and we look at physical controls in your environment. Those controls and some vulnerability scanning that's done, that information is fed into an algorithm. A score is generated based on that and you're given a score of a range of 300 to 850 and it tells you where you sit relative to other companies or other companies within your industry.
Protect Your Organization from Cybersecurity Threats with a Security Score:
There are a lot of different use cases for security scores. Some benefits might be, if you are just starting to build your security program, this can help you understand where to get started - what are the low-hanging fruits? What are the highest risks in your environment? What are the things that you should attack first? If you find that you undergo a lot of third-party vendor assessments or audits, this can help you answer the questions, the very typical questions that are going to be asked during those assessments or audits. The S2SCORE is based on industry standard cybersecurity frameworks, so there are elements of NIST and ISO cybersecurity frameworks, as well as others like PCI and HIPAA compliance standards too.
Some of the other benefits are, if you are looking to purchase cybersecurity insurance. You may qualify for a discount if you undergo a security scoring process or an assessment process like this. In some cases, you will get a direct benefit or a direct discount for that. In other cases, you'll be able to show your work and show the work that you've done to assess your environment and remediate your environment and you'll be able to prove that you have certain standards met in your environment to qualify for lower-cost insurance. This can also help you, just in general, as you're thinking about, how am I going to respond to an incident? Part of the assessment is to look at those administrative controls. Some of those administrative controls have to do with very basic things - do I have an incident response plan? Do I have an asset inventory of all of my critical server systems and workstation systems? These bits of information can be very helpful if you're ever in a situation where you need to respond to a threat or even just a malfunction in your environment - it's very good to have that information handy.
So you might ask yourself, how do I get a security score? How do I get an S2SCORE? Loffler provides five different ways that we can help you with that.
1. A self-assessment
Our vendor partner, SecurityStudio, has made available a free version of the S2SCORE, available completely for free. Some people find that that's a little bit of a daunting task to go through it. There are a lot of questions in there so we offer some assistance with that.
2. An assisted self-assessment
We would ask our customers to start the process themselves with the free self-assessment and we'll come in and help answer some of the tough questions.
3. A validated assessment
A validated assessment is where our assessors will come in and validate the answers that you've given, validate the responses that you've given and essentially give you an industry standard score. And we also have a method of doing this assessment where we come in and do it all for you and we
can do that in two different flavors.
4. A full assessment
We'll come in and do the assessment as a one-time offering.
5. A vCISO service
We can come in and do the assessment as part of our vCISO or virtual chief information security officer offering and if you do that, we include one assessment along with reassessments throughout the year, during the length of that contract.