A Better Way to Conduct Security Vulnerability Assessments
Why is it that progress comes quickly in some areas of our lives and slowly in others? Consider for a moment that we lived for decades with household items that did not evolve much and were simply viewed as utilitarian goods. Think vacuum cleaners, thermostats, hairdryers, and coffee makers. These were all mundane appliances, which could be found in any middle-class home across America since the 1950s. Yet, these very same items have recently been reinvented and rebranded as luxury accessories (dare we say status symbols) that are priced several times more than their predecessor models. Have we reached a tipping point where any product, especially those considered no-frills (even drab) can be “sexed up” and re-packaged as the exclusive must-have gift of the year? The days of the $900 vacuum cleaner are upon us. And, while product evolution is pricey, it is also widely appreciated by those who utilize them to make their everyday tasks easier to perform.
Finally, the security industry has found its version of the Nespresso Coffee Maker – minus George Clooney as a spokesperson. It’s a technology that has been way overdue and when incorporated will immediately enhance your security posture. In fact, it’s hard to believe that we in the security profession have gone so long without this innovation tool. But, instead of being an appliance upgrade for the housewives found on the television series Mad Men, it is a modern solution to an old problem that has plagued Security Directors for years. Technology has finally created a systematic way to conduct physical vulnerability assessments more efficiently, effectively and accurately – its name is SOTERIA.
The SOTERIA vulnerability assessment and security project management system is the future of performing threat/vulnerability assessments and managing large-scale security projects for facilities to mitigate risk from both external and insider threats alike.
The Problem with Security Vulnerability Assessments
As any security professional will tell you, physical vulnerability assessments can be tedious, time-consuming, non-standardized, subjective to the assessor’s experience level, and often only provide a snapshot in time for the asset or facility being evaluated. Whether it is a government facility (embassies and military bases), critical infrastructure (utilities and telecom), public venues (stadiums and airports), or “soft-target” private sector facilities (office buildings and factories), the need for vulnerability assessments is ever-present. While undoubtably necessary to the security process, assessment reports can be unreliable and grow outdated too quickly. Furthermore, assessors continue to use cumbersome paper checklists in the field to perform their work, which leads to inaccurate collection, a lack of real-time summary charts, and a delay in report writing time - which can often take weeks or even months.
The most disconcerting aspect of assessments is that security officers do not have the capability to track their asset vulnerabilities in real time. Without a system to monitor identified asset vulnerabilities, an immediate response cannot be deployed, and proper resources cannot be allocated. With SOTERIA, overall assessment time is cut down by 70% and Chief Security Officers (CSO’s) can now track all their organization’s facilities live, anywhere in the world, from their office desktop.
SOTERIA: The Future is Now
Named after the Greek Goddess of Intelligence and Safety, SOTERIA is actually an acronym for:
It is an innovative threat and vulnerability assessment software system for security and intelligence organizations, which use an iOS and Android based mobile app for assessors (antiterrorism officers/security professionals), as well as incorporates a web-based program management platform for CSOs to monitor their organization’s critical assets and global facilities. In layman’s terms, your assessment team members can more quickly perform their assessments in the field using a convenient software downloaded onto their smartphone or tablet. This software easily guides the assessor through a logical process to gather and evaluate the target’s key assets. It allows for consistent collection among users, ensuring that a baseline is established across all of your organization’s facilities. Following the onsite assessment, data can be securely transferred back to the Security Department or Command Post – located thousands of miles away – where a CSO, Security Director, Commander, etc. can monitor his/her entire security enterprise via speedometer indicators, using one singular dashboard tied to every location under their command.
Incorporating the CARVER Methodology
Another highly useful feature of SOTERIA is that the collection platform for “racking and stacking” assets is based upon the CIA’s CARVER Target Analysis and Vulnerability Assessment Methodology. CARVER is a globally recognized methodology used extensively by the military, intelligence and law enforcement communities. It is both an offensive and defensive tool which can assess and analyze risk based upon a wide variety of threats and adversaries, as well as analyze potential enemy targets to ensure maximum impact.
CARVER is an acronym for:
CARVER is a commonsense methodology that uses both qualitative and quantitative metrics to produce a measurable “likelihood of attack” against an organization’s assets and facilities. It plays an essential role in the protection of critical infrastructure by determining how an adversary can successfully exploit a system or an asset’s vulnerabilities. It is the foundation for SOTERIA’s collection and monitoring capabilities. An additional attribute of SOTERIA is the emphasis this system places on “criticality” through a proprietary process that decomposes assets to determine their value to an organization by using targeting criteria consistent with those by special operations forces to evaluate enemy target sites.
Security Project Management Database
If the acronyms don’t give it away, SOTERIA was designed by a team of vulnerability assessment professionals who came from intelligence community (IC), critical infrastructure protection, and special operations backgrounds… including the “Godfather of CARVER”, Leo Labaj, one of the original co-founders of CARVER back in the late 1960’s/early 1970’s while a member of the CIA’s Special Activities Division (SAD). The technical coding was performed by software engineers and computer programmers from the space and missile defense technology communities. The experts behind SOTERIA's development are a textbook blend of real-world operators, security specialists, and big-brained software engineers.
Reducing the Cost of Vulnerability Assessments
Before you assume that the SOTERIA system is too high-tech and will break your budget, consider how much you currently spend on performing a security assessment within your own organization or what the cost is to have an assessment performed by an outside consultant. Factor in travel time, report writing time, resource allocation, training, and any other expenses you may encounter. For most major Fortune 500 companies, a single physical vulnerability assessment can cost upwards of USD 100,000, depending upon the size of the enterprise or infrastructure element in question. Now consider how many assessments you wished your team could perform per year for your organization. Undoubtably, that cost is going to be shockingly high.
Now the good news… the SOTERIA software system can perform an assessment - in 70% less time than current/traditional methods - for as little as $295 per assessment. You read that correctly. Each individual assessment package that you download to conduct your assessment can be performed for under $500! How is this possible? Volume.
Using a three-tier “bronze, silver, gold” pricing model (there is also a customizable platinum option), an organization will have the ability to conduct 20, 35 and 50 assessments per year using the SOTERIA mobile application. Each individual assessment provides a detailed report for the identified critical infrastructure, facility or key asset. The monthly reoccurring cost of SOTERIA also includes the ability for Security Managers and Security Directors to track and monitor in real-time their critical asset vulnerabilities via a web based backend. The bronze package costs less than $60,000 a year and will provide an organization with the ability to conduct their own 20 assessments per year. That is far less than what a typical organization currently spends when hiring a third party company to conduct a single assessment. Talk about a solution that provides a massive cost savings and has been long overdue!
Much like other industries being disrupted by technology, the security revolution is not just coming… it is already here. Thanks to the SOTERIA collection and database management system, vulnerability assessment technology has finally caught up to the rest of those previously unsexy appliances in your kitchen!
Luke Bencie is the Managing Director of Security Management International, LLC. He has conducted physical vulnerability assessments in over 100 countries and is the co-author of The CARVER Target Analysis and Vulnerability Assessment Methodology: A Practical Guide for Evaluating Security Vulnerabilities. He can be reached at [email protected]