Invictis has announced the launch of a three-stage risk benchmarking service.
The company said its Invictis Risk Score (IRS) is an intelligence-led business-driven benchmarking service that gives an enterprise the capability to score and compare security effectiveness by size, sector or market.
Talking to SC Magazine, Invictis CTO Richard Walters said that the service has three parts to it. Stage one and two are delivered by the cloud. Firstly clients come in and fill in a questionnaire to get a top-level traffic light rating on their posture. They then go to stage two, which is a deeper look at their products, and this will drill down into targets and management.
Then at stage three they get a comparison where it is not just a report on the average success but a comparison to other responses. If something unusual is found then Invictis will let the customer know.
He said: “Stages one and two are free of charge and you can take this as frequently as you like. At the end of stage two you get a number and in stage three, we share how you compare against others in your sector or against the UK as a whole.
“Some people are spending too much on security but most spend too little, so it may find that they are spending too little on vulnerability management than patch management. Stage three gives this detail. This takes into consideration ISO 27001 and also UK and vertical specific legislation.
“After stage three, we explain how they compare and what state they are in terms of a risk profile. We do not recommend software and are vendor agnostic, it is up to them to select technology that has preventative controls. But our language is about risk and if they want advice on vendors we will tell them who the leaders are but that is all.”
The frontend is web-based and collates internal and external audit information, while sophisticated backend processes take into account additional horizontal and vertical sector-specific factors.
Key areas examined include: the philosophical approach to information security; risk appetite; strength and completeness of security policies; certifications and accreditations; specific business activities; internal security awareness; thoroughness of education programmes; use of technical controls; testing and validation regimes; and planned projects.
A dynamic mathematical risk model computes and processes the results to generate a risk score indicative of the security posture of the enterprise in a real-world context.
Walters said that IRS confers a number of business advantages. By allowing the enterprise to rank its effectiveness and ensure the security budget is inline with sector levels, it is possible to identify potential areas of under-investment and over-expenditure, target resources and focus spend.
“IRS allows an organisation to really grasp where they stand in their industry and how they compare with peers and competitors. That kind of data is invaluable in today's market where budgets are tight, so resources and future investment need to be focused, and where the cyber threat is becoming more of an issue, with sophisticated attacks specifically targeting individuals and the board of companies in particular sectors,” he said.