ENTERPRISE SECURITY MAGAZINE | APRIL 2018
Back in 2010, cloud computing and hosting was a $24.63 billion industry, which is expected to touch a $117.96 billion mark this year, witnessing around 4.78 times increase since the last eight years. The big data industry, on the other hand, is likely to grow by 5.36 times since the last seven years ($7.6 billion in 2011 – $40.8 billion in 2018). Though inspiring and clear indicators of technology’s penetration into our lives and the many ways we have accepted the luxury it brings in, these figures only tell half the story. Technological advancements have also catalyzed another industry— security and vulnerability management—that thrives on newer challenges that enterprise’s newer technologies, and ironically, its growth dwarfs most others. The security and vulnerability management market was only worth 3.4 billion in 2010; this year worldwide spending on security-related hardware, software, and services is anticipated to reach $91.4 billion. That is a staggering 27 times growth. “Vulnerabilities are constantly cropping up every day and enterprises are having a tough time keeping up with them and understanding, from a risk perspective, what vulnerabilities they should remediate, mitigate, or find compensating controls for. We can help companies in identifying their vulnerabilities before they breach any compliance or face any losses,” says Mitchelle Schanbaum, CEO of Specialized Security Services (S3).
Mitchelle and Scott’s Cybersecurity firm has had a rather exciting journey that accentuates the value proposition it brings to the market. In 1998, Mitchelle and Scott were working at a New York-based Information Security Company. This enterprise was trying to go public and overwhelming fixed cost had to file bankruptcy. It was these events that fired the creation of Specialized Security Services, Inc. (S3). Mitchelle and Scott were confident in striking out on their own, the difference was their relationships with their clients and that is why Mitchelle states, “It was our clients—with whom we had years of relationships—who wanted to continue working with us, no matter what new name we put on our business cards.” Many companies have stuck with S3 since then. Scott Schanbaum, CIO and EVP of Technology at S3, says, “It is because we do not believe in working through emails. We believe in the old and time-tested ways of face-to-face interaction with a client; we get in the trenches with them.” Since the inception of S3, we have been committed to assisting our clients onsite and irrespective of how much time it takes to assist them with their challenges. The goal here has never been to simply augment a client’s staff, but to become an extension of it.
Since the inception of S3, we have been committed to assisting our clients onsite and irrespective of how much time it takes to assist them with their challenges
The Plano-based enterprise today is recognized as a top rated boutique cybersecurity consulting firm specializing in consulting, auditing, and implementation of best practices to secure enterprises. Its services presently are branched into three fundamental areas: Compliance, Engineering services (wherein it performs vulnerability scans), and Managed services (where it provides security operations and vulnerability management centers). S3 offers vulnerability management as a service to manage everything from scheduling, performing vulnerability scans, remediation, risk management to creating vulnerability management programs for clients. Additionally, it also extends services such as network security policy development, firewall management, security operation center, business resumption planning, incident response planning, governance and risk management as well as penetration testing. The vulnerability management program, however, is more than just providing Common Vulnerability Scoring System (CVSS) rating that most other similar firms do. The program is tailored to identify the vulnerabilities that pose even the minutest degree of risk to an enterprise. “We see vulnerability management as an element of a bigger narrative, that is enterprise risk management,” says Mitchelle.
A truth about CVSS ratings is that they fail in addressing a crucial aspect; one single vulnerability can impact multiple systems and cannot account for the actual risk of the vulnerability in each individual company. For example, if three companies are affected by a single vulnerability it can affect each system and company in a different way. Moreover, every CIO or CISO has a different approach to risk acceptance, when, how, and to what extent technology plays a role in his/her enterprise. The ability to dig down and address every unique business requirement is a strength and core competency of S3. In achieving this goal S3 endeavours to understand each client’s environment, culture, technology expertise and operations before suggesting any solution, recommendation or starting an assessment. By doing this, S3 can marry the needs of the business with what information technology and security can bring to the table and make it an integral part of the project development. The tools employed for vulnerability assessment depend explicitly on a given business environment, and they seamlessly align with the environment’s requirements. This ensures that security and vulnerability management become a regular part of business process.
Vulnerability remediation, nonetheless, requires more than just an assessment or providing compensating controls. It mandates identification of not only vulnerability but also its root cause and using robust cyber risk governance to encompass an enterprise’s operations and existing applications. Mitchelle cites a case study to paint a clear picture. In a recent project, a client contacted S3 for assistance in performing an assessment which requires the enterprise to perform quarterly vulnerability assessments; the enterprise in the discussion had not performed a vulnerability assessment in years. To make matters worse, the client failed to prioritize its security and place a robust security patching program in place when it decided to outsource its IT operations. S3’s initial assessment revealed approximately 20,000 vulnerabilities residing on numerous servers, desktops and networking gear, end-of-life software, broken processes, and disparate systems to which the IT department had no clue about. “How can an IT team manage systems and applications that it doesn’t even know are being used? Enterprises must remember that without an effective cyber risk governance program, even the best of vulnerability management programs will not and cannot work.” S3 went beyond identifying causes for vulnerabilities, remediating them, and providing compensating controls to transform the enterprise culture in creating a viable and sustainable vulnerability management program for the future. S3 encounters many similar customers who come to it with scores of vulnerabilities to be remediated within a limited time frame. S3 has never failed to ensure that its clients fulfil all compliance requirements while understanding and working within the enterprise budget.
It is worth mentioning at this point that many assessments and reports despite being comprehensive and insightful, fail to trigger the right responses in an enterprise. The main reason: Lack of a base terminology among engineers, managers, C-level executives, and Board members. For example, an engineer may provide details and approaches to implement a new firewall, which the board members might not comprehend clearly. The fact is, a board member doesn’t necessarily need to know the many details about how to configure a firewall, he/she only needs to know the need and the overall value and risk of having or not having that firewall. S3 steps in such scenarios and creates a cyber risk governance blanket to cover the entirety of an enterprise and enables engineers to communicate with board members in the same language that allows seamless transfer of facts and insights. This makes it much easier for enterprise decision makers to understand risks and then decide how they want to prioritize each risk.
A testament to S3’s expertise is, being one of the first companies in the market to be certified by Visa, MasterCard, and American Express to perform PCI security assessments and vulnerability scanning. Scott credits much of the firm’s success to the passionate people who work at S3. He calls the staff “brain trust” which helps formulate new solutions that no one has imagined. “While hiring, we don’t focus merely on a candidate’s academic record, work experience and sex, race, creed, and religion are never factors we consider in forging the S3 family.” The makeup of the enterprise is very diverse because of strict adherence of including those into the enterprise who fit into the S3 culture of assisting clients on any issue, at any time of the day, and to any extent required. These three elements, he stresses, are the mainstay of relationship that S3 provides to every client.
Moving forward, S3 anticipates opening new offices in London in the first quarter of 2019. This woman owned and family operated enterprise takes pride in having successfully sustained its business without any monetary assistance from venture capitalists. Mitchelle says, “We want to maintain S3 as a legacy that can be passed on to the family. Unlike many in the market, going public and going for IPO has never been our goal. We don’t want to dilute our focus or commitment toward enabling clients to identify, manage, and remediate vulnerabilities.”