Symantec acquires automated risk assessment firm

When we started getting into this, we realized that organizations were about to face the convergence of security issues, privacy issues and increasing regulatory oversight. Chris Parker CEO4FrontSecurity Inc.

The duo developed a set of automated risk analysis and security management tools about five years ago, and their efforts haven't gone unnoticed. Thursday security giant Symantec Corp. said it acquired the vendor and plans to incorporate the tools as separate modules within the Control Compliance Suite.

Terms of the deal have not been released. Parker said Symantec approached 4Front "to bring new tools to capture and track procedural controls and measure them against a variety of industry best practices and standards.

"When we started getting into this, we realized that organizations were about to face the convergence of security issues, privacy issues and increasing regulatory oversight," Parker said. "We felt that this was going to become a very complex and costly aspect of operating a business."

Parker will continue to work with the tools as senior manger of product management and Crutchley is being brought on as senior manager of software engineering as part of Symantec's Security and Compliance Management group.

Parker and Crutchley used a $100,000 investment from the Herndon, Va.-based Center for Innovative Technology to develop a framework around a library of content that organizations could use to measure performance and assess business risk.

Risk analysis: How to conduct a risk analysis: In this installment of the Risk Management Guide, Shon Harris provides step-by-step instructions on conducting a risk analysis. How to define an acceptable level of risk: Contributor Shon Harris explains how to define an acceptable level of risk and provides an example of how three different corporations may respond to the same technology based on individual risk. Compliance: Myths, mistakes and management advice: Keeping organizations continuously compliant with multiple complex and ever-changing regulatory requirements remains a challenge for many infosec pros. Multi-dimensional enterprise-wide security: Define risks: Learn how to protect information assets and resources within all areas of the enterprise and in compliance with all regulatory, policy and contractual requirements.

4FrontSecurity's offerings include Assessment Manager, auditing software that helps a company perform a self assessment based on risk management best practices; Asset Risk Calculator, which helps companies understand the value of their hardware and software assets; and Policy Assistant, which provides companies with a group of generic policy templates to be applied in specific situations.

Parker said his company's goal has been to help CSOs understand their businesses from a security and business perspective, and communicate that message to upper management, as well as eliminating the need for costly consultants and reduce the time it takes to understand whether systems need to be changed to meet new regulations.

Parker added that the business has grown to about 20 customers.

"We created something that was highly effective, but as a small business, scaling that business was the next challenge," Parker said. "We always believed that we were filling a gap that a lot of organizations had not addressed."

Risk analysis tools solve part of the problem

Parker and Crutchley tapped into a growing market. Risk assessment has been a rising trend since a number of regulations, including the Health Insurance Portability and Accountability Act (HIPPA), began requiring firms to build a security plan based on a risk analysis.

Rebecca Herold, an independent consultant focusing on information security and risk analysis, said the human factor is important whenever analyzing risk at a company. While risk assessment tools are helpful when conducting an analysis, she said they cannot be a substitute for conducting a full range of assessment activities.

"Automated tools can definitely help information security and compliance leaders to understand where they're at," Herold said, "but a certain amount of risk assessment analysis has to be done by humans."

Most companies have unique contractual requirements that make risk analysis more difficult to conduct. She said no risk tool can cover the gamut of unique issues.

"The person who buys an analysis tool needs to understand the scope of the issues addressed by the tool and compensate for the gaps that the tool provides and organization needs to address," Herold said.