Security risk assessment has been a growing market niche in recent
years, and few know it better than Chris Parker and Steve
Crutchley, co-founders of Reston, Va.-based 4FrontSecurity.
 | | | | | When we started getting into
this, we realized that organizations were about to face the
convergence of security issues, privacy issues and increasing
regulatory oversight.
Chris Parker
CEO4FrontSecurity Inc. |
| | | | | |
| |
|
The duo developed a set of automated risk analysis and security
management tools about five years ago, and their efforts haven't
gone unnoticed. Thursday security giant Symantec Corp. said it
acquired the vendor and plans to incorporate the tools as separate
modules within the Control Compliance Suite.
Terms of the deal have not been released. Parker said Symantec
approached 4Front "to bring new tools to capture and track
procedural controls and measure them against a variety of industry
best practices and standards.
"When we started getting into this, we realized that
organizations were about to face the convergence of security
issues, privacy issues and increasing regulatory oversight," Parker
said. "We felt that this was going to become a very complex and
costly aspect of operating a business."
Parker will continue to work with the tools as senior manger of
product management and Crutchley is being brought on as senior
manager of software engineering as part of Symantec's Security and
Compliance Management group.
Parker and Crutchley used a $100,000 investment from the
Herndon, Va.-based Center for Innovative Technology to develop a
framework around a library of content that organizations could use
to measure performance and assess business risk.
4FrontSecurity's offerings include Assessment Manager, auditing
software that helps a company perform a self assessment based on
risk management best practices; Asset Risk Calculator, which helps
companies understand the value of their hardware and software
assets; and Policy Assistant, which provides companies with a group
of generic policy templates to be applied in specific
situations.
Parker said his company's goal has been to help CSOs understand
their businesses from a security and business perspective, and
communicate that message to upper management, as well as
eliminating the need for costly consultants and reduce the time it
takes to understand whether systems need to be changed to meet new
regulations.
Parker added that the business has grown to about 20
customers.
"We created something that was highly effective, but as a small
business, scaling that business was the next challenge," Parker
said. "We always believed that we were filling a gap that a lot of
organizations had not addressed."
Risk analysis tools solve part of the problem
Parker and Crutchley tapped into a growing market. Risk
assessment has been a rising trend since a number of regulations,
including the Health Insurance Portability and Accountability Act
(HIPPA), began requiring firms to build a security plan based on a
risk analysis.
Rebecca Herold, an independent consultant focusing on
information security and risk analysis, said the human factor is
important whenever analyzing risk at a company. While risk
assessment tools are helpful when conducting an analysis, she said
they cannot be a substitute for conducting a full range of
assessment activities.
"Automated tools can definitely help information security and
compliance leaders to understand where they're at," Herold said,
"but a certain amount of risk assessment analysis has to be done by
humans."
Most companies have unique contractual requirements that make
risk analysis more difficult to conduct. She said no risk tool can
cover the gamut of unique issues.
"The person who buys an analysis tool needs to understand the
scope of the issues addressed by the tool and compensate for the
gaps that the tool provides and organization needs to address,"
Herold said.