The security industry, like many others, has a wide range of terms used frequently, and sometimes interchangeably, which can lead to confusion. A good example is Security Risk Analysis versus Vulnerability Scan. Both are common terms but, for what those services are used for and the intelligence that is gathered through them are quite different.
Security Risk Analysis is a two-step process of analyzing the prevalent risks and assessing what the established security regime is capable of handling. Generally, the term is used when a comprehensive review is conducted to include the technology, process and manpower.
For example, to determine the risk of a natural disaster like a hurricane, a Security Risk Analysis team would look at which physical structures were most at risk and which would become a threat during high winds (such as antennae that could become airborne). They would also complete a thorough review of the protocol employees have been trained to follow during such an emergency, including how often they have been trained. Technology is at risk of physical harm during some situations and a hurricane is certainly one of them. The risk assessment would discover ways that a company’s technology infrastructure could be compromised during a violent storm and, ways it could be protected from such threats with a goal of maintaining business continuity.
Much of the time, a Security Risk Analysis is done by an outside agency and, for mid-to-large sized companies, is done on an ongoing basis as different risk situations are evaluated. The resulting Security Assessment Report aides strategic and operational inputs to improve the overall security regime hence reducing the risks to an acceptable level.
A Vulnerability Scan is a technique of identifying weaknesses in a system. The term is generally associated with computing systems and the modern day vulnerability scan is often an automated detective action taking place on continuous basis.
Recent examples of customer information hacking is the type of risk that a Vulnerability Scan is designed to minimize. With the proper type of programs in place, and updated to the latest version, the threat of a secure computer system being penetrated is reduced. It also requires monitoring by IT professionals who can help the system react to new threats. All of this should be part of a comprehensive vulnerability management plan.
The scans may be run with a particular objective on a defined section or may be on the full system. The vulnerability reports generated from the ongoing scans are utilized to bridge operational gaps in terms of software, equipment, resiliency and other elements.
While there is some confusion about the difference between these two security analysis services, both a Security Risk Analysis and a Vulnerability Scan should be deployed to maximize the intelligence gathered for future protective measures.
Question for comment: Do you think companies are more at risk through their physical or technology assets?Tweet