NEW Broadgate Product Launch: “Assurity”

Posted on : 30-06-2015 | By : john.vincent | In : Cyber Security, Innovation

Tags: , , , , , , , , , , , , ,

0

Since forming Broadgate in 2008 we’ve helped a number of our clients in addressing the challenges posed by the increased internal and external security threat to their organisation and data. Our projects have included deployment of Malware threat platforms, Data Loss Prevention implementation, Cyber Intelligence and Identity and Access Management solutions.

Our experience during this time was that there is a need for a more business focused approach, so we developed our own assessment methodology, which we have now officially launched as a product called ASSURITY. The product addresses three key challenges facing us today;

1) Understanding your business critical assets

2) Calculating your risk exposure

3) Prioritising areas requiring focus and investment

The product is differentiated in the market through not only the comprehensive inputs and modelling, but also by providing quantitative analysis in the form of a Cyber Value at Risk.

 

ASSURITY is a three step process, as outlined below;

Assurity assessment methodology

Step 01

We profile the organisation from many different data points. This is a critical part of the process as it allows for a more meaningful assessment of the actual risk. C’Level executives can use the product to inform their change programme and investment decisions. It is an iterative approach during which the relative weightings for each criteria are reviewed and discussed with the client to understand carefully the business risk appetite.

Step 02

The assessment is conducted by ingesting a number of different sources from documented artefacts, processes, data and technology into the Assurity product. From this we can assess the current maturity level, a quantified risk level, the potential impact to an organisation of a data breach or security event and also the likelihood of it occurring.

Step 03

The results of the assessment are presented in a form which clearly shows the focus areas for investment, change or where in the organisation is protected at the appropriate level. We map the results to the GCHQ 10 Steps for security and translate into language which allows C’Level executives to make informed decisions.

What are the benefits of ASSURITY?

1) Information security assurance – Demonstrating to your clients, suppliers, regulators, shareholders and insurers

2) Optimising security budgets – Avoiding unnecessary investments typically results in a 30% reduction in redundant operational security expenditure, support and maintenance

3) Qualified cyber value at risk – Financial value of corporate assets at risk is defined for input into broader business risk modelling

4) Improved compliance – Security health check defines current information security level

 

In the ASSURITY report, we  focus on four main areas;

 

Cyber At Risk Score

The Cyber At Risk Score takes a number of internal and external feeds to create a value from which organisations can have a more informed discussion regarding the likelihood of a security breach. We use this across the product to help quantify the impacts against the profile of the organisation.

Gap Analysts against Target Maturity

During the profiling stage we determine the appropriate maturity benchmark for the organisation.  This can be based on the internal risk appetite, industry average or other determining factors, and is used to identify shortfalls, strengths and focus attention and investments.

Maturity Assessment Heatmap

Here we plot the scores from 10 assessment areas against the Likelihood and Impact of an event. Importantly, we also assign a quantified value at risk which we have determined through the profiling exercise and the current maturity level. This allows C’Level executives to target and prioritise the investment areas.

Strategic Roadmap

The output from the ASSURITY product also forms the basis for the required change programme. We split the initiatives into Quick Wins which have the most immediate impact or target the most vulnerable areas. We also provide the long term remediation plan and ongoing continuous improvement projects to meet the required target baseline.

 

The ASSURITY product differentiates from other methodologies by being the most complete and accurate assessment that organisations can undertake to really understand their security risk exposure.

If you would like to find out more about the product and to arrange a demo, please contact jo.rose@broadgateconsultants.com or call 0203 326 8000 to speak to one of our security consultants.

 

Obtain value from your cyber security investments

Posted on : 27-05-2015 | By : richard.gale | In : Cyber Security

Tags: , , , , , , , , ,

0

Protecting against cyber-attacks is starting to feel like throwing money into a bottomless pit. Gartner estimates that five percent of all IT spend is now consumed by security technology and solutions. But just how much money should a firm spend to protect itself? What is good enough? The answer is that ‘it depends’…

There is a cost to providing a level of security and there is a cost of a breach. Weighing up those costs and the likelihood of something happening is not always straightforward. The impact of a data loss can be very difficult to assess. The recent Sony breach had varying estimates exceeding $100m which have now been quietly downgraded to $15m in ‘investigation and remediation costs’ according to Sony’s financial statements. $15m still buys plenty of protection but even if it actually ends up double that then it only represents less than 2% of Sony’s sales in 2014.

Other very public data breaches involving millions of credit card holders (Target & Home Depot in the U.S.) have an impact on the consumer but the actual effect on the organisation is limited and is usually at least partly covered by insurance.

So is there any point spending more money on cyber protection? Over the years we have performed a large number of security assessments for our clients across a range of business sectors. We have often found that there is relatively high levels of spending but maybe not in the right areas with a focus on technology solutions rather than incorporating people and processes.

The other  significant findings are:

  • The likelihood and value of loss is very difficult to calculate
  • Explaining the impacts, consequences and counter-measures are described in technical rather than business terminology

What we have been working on over the last few months is distilling the data from our previous assessments and building it into a robust process to assess an organisations risk profile, quantifying the risks and costs of loss help the board understand the current state of the organisation. We can then construct a road map with measurable steps to the desired improved state.

Next month we are launching Broadgate’s new assessment product. We are very excited as we feel it provides a bespoke, business related 360 security view of an organisation. It is based on the existing standards (such as ISO27001, UK  Government’s Ten steps,  Cyber Essentials, Sans20) to provide a solid basis for the analysis. Broadgate’s unique security assessment methodology incorporates a “Cyber value at risk” incorporating the anonymised  data from previous assessments and based on your a number of features including business, sector, market size including factors such as the board’s media profile and public perception.

Our solution clearly explains the current status, risks, likely impacts. It also incorporates potential improvement measures &  solutions with measures of success in clear business language. This enables senior executives to make the informed, relevant investment decisions extracting the maximum value from cyber security.

Next month we will cover the product in more detail and are aiming to make a summary version, with historic data, available on our website for you to try. If you would like more information or a pre-release trial please contact Kerry Housley