FRSecure is an information security–consulting firm based in Minnetonka, MN. Recognizing that the information security industry is broken, FRSecure has developed tools, services, and teams to help companies of all sizes identify and manage their most critical assets and risks through education and partnership
We have an ambitious mission at FRSecure: fix the broken information security industry. There are many broken aspects of the way businesses and regulatory industries handle information security across the globe, but most of the problems stem from the lack of a common language among us. As businesses, we all have our own unique ways of doing and talking about information security, and we have our own ideas about the “right” way to do things. Often, we don’t even use the same terminology. If you were to ask seven security professionals what the definition of security risk is, you would get ten different answers. And the regulatory industries have their own definitions to add to the mix. Many of us are expected to adhere to different regulations, causing further disconnect among industry professionals.
So, FRSecure developed a translation.
Many organizations want or need to conduct annual risk assessments. These “surveys” result in a rating that helps the organization get an understanding of where they’re strong and where they have the most room for improvement. Typically, the assessment is followed by a presentation to a leadership group (read: board of directors). Leadership teams are usually business-minded, not security-minded. They want to know what the team is doing, where they’re trying to go, when and how they need to get there, and, of course, how much it’s going to cost. Many risk assessments fail to provide clear results that can be easily communicated to leadership teams. Knowing this, we decided to speak about security in terms that businessminded people will understand, so we mirrored our risk assessment scoring methodology to the standard personal credit score scale (while also mapping the questions to industry regulations).
Using the results of our risk assessment, companies can easily communicate that, “We have a 450 today. Our goal is to get over 650 in the next two years. We’ll do [actions] to get there, and it will cost us $[X].” Suddenly, the security team and executives understand each other, and they have recommended remediation items to get where they need to be
FRSecure has partnered with SecurityStudio to put this methodology, questionnaire, and scoring into a platform that is now free to the general public. By doing so, we can eliminate some of the barriers that exist and currently deter companies from measuring and improving their information security—ultimately fixing this broken industry, one step at a time.
