The document summarizes a roundtable discussion on leveraging security assessments to identify and control risk. Key discussion points included using assessments to obtain an independent view of gaps, prioritize remediation, and justify security budgets. Assessments should extend beyond technology to also evaluate security awareness, physical security, and cloud service providers. While annual assessments are typical, organizations should maintain ongoing awareness of changes to their risk profile. Assessments need to provide forward-looking insights on emerging threats and peer comparisons to effectively communicate risks to leadership.

1. Technology Executives Club
Roundtable / SIG
Cyber Security & Risk Management
“How to Leverage Security Assessments to
Identify & Control Risk”
Meeting Summary
November 6, 2015

2. W. Capra Consulting Group
Topic Overview
1
Leverage security assessments to identify and control risk;
assessments can be used to:
 Increase organizational visibility of identified risks
 Define a baseline standard to measure organization
readiness against established framework(s)
 Conduct assessments with the end in mind
 Provide a basis for a security roadmap and budget
 Leverage third parties to provide credibility to initiatives
to business, senior management and boards
 Integrate into security/risk governance structure

3. W. Capra Consulting Group
Discussion Points (1)
2
What comes to mind when you hear the words “security
assessment”? What does it mean to you?
Predominant View – Security assessments should focus on managing risk
rather than checking the box. Emphasis should be placed on understanding
risk associated with valuable data assets.
Leadership Feedback
1. Assessments can be different based on what you are trying to achieve
2. Understand the valuable data assets that need protecting before
starting an assessment
3. Think about what you want to get out of the assessment
4. Security assessment should include vulnerability assessment,
penetration testing, and compromise investigations
5. BIA (Business Impact Analysis) is needed to put findings in context

4. W. Capra Consulting Group
Discussion Points (2)
3
How do you use assessments in your organization?
Prioritize gaps? Independent perspective on threats
(current and future) and existing vulnerabilities? Input to
security roadmap and budget?
Predominant View – Assessments are used to obtain an independent view
of gaps and provide input to prioritized roadmap. The independent view
helps to justify budget.
Leadership Feedback
1. All of the above apply to each organization
2. Independent gives more validity to findings when meeting with
stakeholders – that’s what they are good at
3. Use assessment to slow the business down – third party risk
assessment to manage shadow IT
4. Assessment findings help to justify innovative solutions and
transformative initiatives (e.g., network re-architecture)

5. W. Capra Consulting Group
Discussion Points (3)
4
Do you leverage a security framework to guide security
within your environment? ISO27k, SANS, NIST, etc.? Does
the framework influence how you approach the security
assessment?
Predominant View – Frameworks are helpful in security and serve as a
good reference. Organizations must understand how to ask the right
questions and verify existing controls match the responses.
Leadership Feedback
1. Each organization used/referenced a security framework to guide risk
management
2. Frameworks are good and you also need to ensure the right questions
are asked
3. Assessments must verify responses – obtain evidence controls are in
place
4. Approach includes obtaining stakeholder sign-off on the findings
and remediation plan
5. Assessments should be performed using tools to detect gaps and
conducting interviews with the right personnel

6. W. Capra Consulting Group
Discussion Points (4)
5
How far do you go to get a good perspective on your risks?
Technology (app – storage), security controls, architecture
review, processes (e.g., Service Desk) susceptible to social
engineering attacks?
Predominant View – Assessments must extend beyond technology to be
effective. Investigation of security awareness and physical security practices are
critical. Threat modeling is important to understand what’s relevant.
Leadership Feedback
1. Focus on user/employee security awareness programs and education that
helps them in their personal life (e.g., safe at home program)
2. Physical assessments becoming more important
3. Push ownership of data to business stakeholders
4. Get past OWASP to using Red Teams and threat modeling
5. Follow up to measure social engineering risk (e.g., phishme)
6. Identify an approach to hold users accountable for poor decisions
(e.g., tie to compensation)

7. W. Capra Consulting Group
Discussion Points (5)
6
What is the right interval to perform assessments?
Annual? Semi-annual?
Predominant View – The consensus view is an annual assessment.
Organizations should perform activities throughout the year to understand
changes to risk profile.
Leadership Feedback
1. Interval is aligned with compliance requirements – annual assessment
2. Objective is to perform formal assessment annually and maintain
updated view throughout the year
3. Annual assessment with monthly follow up and continual external
scans
4. Assessment followed up with monthly CIO, CISO meeting to review
progress

8. W. Capra Consulting Group
Discussion Points (6)
7
Do you include Cloud Service Providers (CSPs) in the scope
of security assessments? Why or why not?
Predominant View – Assessing all partners is critical in today’s IT
environment. IT must work with these partners to ensure they have
the right controls in place – don’t accept generic responses.
Leadership Feedback
1. Question should include ALL providers and business partners
2. Big issue – assessment of partners is critical
3. Include all service providers as this is a potential high risk source
4. Don’t accept partner generic responses to assessment – hold them
accountable to demonstrate effective security
5. Need to include important points that hold partners accountable in the
contract

9. W. Capra Consulting Group
Discussion Points (7)
What are you not getting out of security assessments?
What’s missing? How do you plug the gaps? Technologies?
Processes?
Predominant View - Assessments must be more comprehensive and
forward looking. Peer comparison would be helpful when communicating
with business leadership.
Leadership Feedback
 Good perspective on how risk is evolving (e.g., emerging threats)
 Accurate view of risk in third party assessments
 A good perspective on class comparison – how do you compare with
other organizations in your industry (e.g., gaps, level of risk)
8

10. W. Capra Consulting Group
Questions We Didn’t Get
To Ask…
1. How do you know the security assessment was effective? What
gives you that comfort level? Is it possible to get that comfort
level?
2. Do you use security assessments to manage/address business
leadership/Board perceptions? For example, Target breach
raised Board interest in security.
3. In general, what’s missing in security today? What should we
pay more attention to?
9

11. W. Capra Consulting Group
221 N. LaSalle, Suite 1325
Chicago, Illinois 60601
Security SIG Chairperson:
Matt Beale, Associate Partner, W. Capra mbeale@wcapra.com
(312)972-2433
Technology Executive Club Reference:
www.technologyexecutivesclub.com
www.technologyexecutivesclub.com/securitychicago