Earlier this week, Bellevue, Wash.-based security consulting firm Setracon Inc. announced that it has acquired OR3M and subsequently rebranded as Setracon Enterprise Security Risk Management Services.
According to Setracon President Jeffrey Slotnick, CPP, PSP, the acquisition will enable Setracon to provide a full range of services centered on enterprise security risk management. Although OR3M has historically focused most of its efforts on helping firms improve their organizational resilience, Setracon has been able to take the platforms and specialized software developed by the company and tailored it to fit the risk management needs of the broader market.
One of the key platforms that Slotnick says OR3M brings to the table is vSOCra, which helps to streamline information found in a risk assessment for the end-user, allowing them to view either a high-level overview or a more thorough report about the threats faced by their organizations. Despite the numerous changes, technology and otherwise, that have taken place in the security industry through the years, Slotnick says the way risk assessments are performed remains consistent.
“In 1988 when I first started in this industry, I would go out to a job site with a clipboard, notepad, camera, light meter, hard hat, vest, and pencil. I would walk around the site, take my notes and I would go back to my office and spend about three days of writing for each day I spent on the site. The result of that would be a 200 hundred some odd page report with a two-and-half page executive summary and five pages of recommendations or mitigations in the back and the customer was always just interested in the front end , the executive summary, and the back end, the five-page mitigation. They weren’t really interested in, nor was easy to locate, all of the important information that was used to make that decision,” Slotnick says.
However, OR3M sat down with security practitioners to determine what information is actually captured in a risk assessment and whether or not this large volume of information could be reduced to data points. What resulted was vSOCra.
“vSOCra allows you to portray assessment information in a dashboard type format where anybody who wants to see the risk assessment can obtain that information in real time. And they can have very high-level information or they can do a deep dive and find the information that actually created those numbers or data points,” Slotnick explains.
In addition, Slotnick says the platform can help them make changes to the assessment on the fly, enabling organizations to see when and where their risks may have changed depending on the mitigation steps that were taken.
“When you have a large enterprise assessment where you’re collecting information on multiple locations – once we have that data that’s in the system – we can start taking a look at enterprise snapshots and enterprise risk. We can also start looking at areas of threats where some threats might be higher than others,” Slotnick adds. “When we do a risk assessment, we’re identifying mitigations and through integration with project management software, we can take those mitigations and turn them into a security master plan that’s funded, projected and everything else. As we get done with the mitigation, we can go back into the risk assessment and change our risk rating based on the mitigation that was done.
Slotnick says the acquisition will also enable them to help clients with their cybersecurity needs with regards to the elements of information security that they may be lacking.
“According to our research, 80 percent of most breaches have a nexus in physical security – someone who surreptitiously entered the facility, gained access to the network or stole a laptop or personal device. These are all physical security issues, not hard hacks where someone penetrated the system,” Slotnick says. “Part of our assessment now looks for InfoSec issues.”
Slotnick says they will also be able to better provide organizations with a comprehensive view of their physical security network and help them align the security function of the company with the business function as the result of bringing OR3M into the company.
“We can go through our assessment – as we’re walking through buildings and offices – and capture every camera, card reader, and identify their make, model, year it was installed, manufacturer, service-level agreement, last software and firmware update, and all of that various data,” he says. “Most security professionals speak really good security, what we don’t speak is the language of risk and business. The CEO, CFO and COO, they all speak business. So, my ability to portray things in business terms and to align things with the culture and strategy of the organization to show value for what I do is a tremendous benefit.
