Level 3: Assessing Customer Risk for Fun and Profit

By Edward Gately

A comprehensive risk assessment may be the ultimate security sales tool for partners.

It gets you deep insight into the customer’s business, allows you to recommend new security services confidently, and, experts agree, is the crucial first step in getting real about security.

During this Channel Partners Conference & Expo concurrent education session, Chris Richter, Level 3 Communications’ senior vice president of global security services, will discuss developing this capability in-house, options to partner for risk analysis as a service, and top vulnerabilities to watch for.

In a Q&A with Channel Partners, Richter gives a sneak peak of the information he’ll be sharing with partners.

Channel Partners: What are some of the problems that can occur if a company purchases a security offering without first undergoing a risk assessment?

Chris Richter: I have seen countless situations where enterprises overspend on security technology for which they don’t have the means to manage it. The most effective security [position] a company can have is the result of a comprehensive risk assessment, which, if done correctly, will lead to the proper balance of the right people, the right processes and the right technology. In other words, technology is not the silver bullet; it can’t solve for a lack of employee training or proper governance. Without a thorough risk assessment, a security solution is just a Band-Aid.

CP: How do you go about developing a risk-assessment capability in-house?

CR: It starts with a commitment from the top down to embrace and maintain a security-governance framework. Leadership needs a strong set of security policies and to conduct a review of the company’s security stance. It’s surprising how many organizations don’t know the value of their data or even where it is stored, so we recommend customers conduct an asset inventory. These are just a few of the steps companies should take.

CP: What are some of the pitfalls that can occur when developing a risk-analysis capability, and how can you avoid them?

CR: The weakest link in any security stance is a human. Lack of buy-in from all layers of the organization, lack of proper training — these are the biggest pitfalls to a successful governance program. Complexity is another pitfall; the more a company invests in security, the more people they need. It can get very complicated. Establishing a governance framework (which incorporates a risk management program) is key to avoiding these issues.

CP: Are there challenges to selling security to the C-suite? What skills are needed to successfully sell to them?

CR: Most business leaders understand what’s at stake, but the rising costs of security are simply not sustainable. The equipment, maintenance and staffing needed to defend against escalating and increasingly sophisticated threats can quickly account for 20-50 percent of an IT budget. Striving for simplicity, for a comprehensive governance framework with the right technology to support it, is the most effective way to get senior leaders on board.