Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Security Culture

Security Culture

Section titled “Security Culture”

5 automated security scanners

Security Awareness Program

Section titled “Security Awareness Program”

Purpose: The Security Awareness Program Scanner evaluates the security culture and awareness program of a given domain by analyzing various aspects such as job postings, employee sentiment, phishing simulation evidence, vendor partnerships, and company website content. This assessment helps organizations identify gaps in their security training and implement necessary improvements.

What It Detects:

  • Job Postings: Identifies whether job postings require or mention security awareness training and analyzes job titles for keywords related to security roles.
  • Employee Sentiment: Evaluates employee sentiment on Glassdoor regarding the company’s security culture and awareness programs.
  • Phishing Simulation Evidence: Searches for evidence of phishing simulation programs within the domain.
  • Vendor Partnerships: Detects partnerships with security training vendors and analyzes content from their sites to assess their relevance and quality.
  • Company Website Content: Searches for security awareness materials on the company’s website, including blog posts, articles, and videos.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)

Business Impact: This scanner is crucial as it helps organizations assess their internal security culture and awareness programs, enabling them to identify gaps in training and take proactive measures to improve the overall security posture of the organization.

Risk Levels:

  • Critical: The scanner identifies critical findings such as job postings not requiring or mentioning security awareness training, lack of a dedicated security team, and absence of regular training schedules.
  • High: High severity issues include low employee engagement in security matters reflected through negative Glassdoor reviews and minimal evidence of phishing simulation programs within the company’s operations.
  • Medium: Medium severity includes subpar vendor partnerships indicated by vendors with limited or irrelevant content, and a lack of prominent security awareness materials on the company website.
  • Low: Low severity findings pertain to basic informational indicators such as absence of executive level security messaging in company communications.
  • Info: Informational findings are indicative of minimal security culture within the organization, including no specific mention of security training requirements in job postings and limited evidence of proactive security measures on the company’s website.

Example Findings:

  • A company may have critical issues if their job listings do not mandate or suggest any form of security awareness training.
  • High severity might be indicated by widespread negative reviews about the company’s handling of cybersecurity matters on Glassdoor, suggesting a lack of proactive measures to improve employee engagement and understanding in these areas.

Executive Security Leadership

Section titled “Executive Security Leadership”

Purpose: The Executive Security Leadership Scanner evaluates the security tone, resource allocation, and risk ownership within an organization by analyzing public records and open-source intelligence (OSINT) sources. This tool aims to identify whether executive leadership is actively involved in security matters, allocates adequate resources, and takes ownership of risks.

What It Detects:

  • Security Tone Analysis: The scanner tests for the presence of strong security language and commitment from executives, checks for regular updates on security initiatives and progress, verifies executive involvement in security strategy formulation, detects statements indicating a proactive approach to cybersecurity, and flags lack of visible executive leadership in security.
  • Resource Allocation Indicators: It tests for mentions of budget allocation for cybersecurity, describes dedicated security teams or departments, verifies investment in security tools and technologies, detects partnerships with third-party security vendors, and flags underfunding or minimal resource allocation.
  • Risk Ownership Statements: The scanner tests for explicit statements of risk ownership by executives, checks for accountability measures and incident response plans, verifies executive commitment to addressing identified risks, detects proactive risk management strategies, and flags lack of clear risk ownership and accountability.
  • Security Incident Handling: It tests for detailed descriptions of security incidents and responses, ensures transparency in breach disclosures, verifies executive involvement in incident response, detects lessons learned from past incidents, and flags vague or non-transparent handling of security incidents.
  • Certification and Compliance Claims: The scanner tests for claims of compliance with industry standards (e.g., SOC 2, ISO 27001), checks for certifications held by the organization, verifies adherence to regulatory requirements, detects third-party audits and assessments, and flags unsubstantiated or vague compliance claims.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: This scanner is crucial as it helps in assessing the commitment and effectiveness of executive leadership towards cybersecurity within an organization. It provides insights into how seriously the top management takes security matters, which directly impacts the overall risk posture and compliance with industry standards.

Risk Levels:

  • Critical: Findings that indicate a severe lack of security engagement from executives, such as no mention of cybersecurity in public statements or absence of any documented security strategy.
  • High: Issues where resources are inadequately allocated to cybersecurity, leading to potential vulnerabilities and risks not being adequately managed (e.g., insufficient budget allocation).
  • Medium: Weaknesses in risk management practices that could lead to moderate risks if not addressed promptly (e.g., unclear risk ownership or lack of incident response plans).
  • Low: Informal language regarding security matters, underfunded initiatives, or minimal engagement from executives, which may indicate a less critical issue but still needs attention for continuous improvement.
  • Info: Non-specific statements about cybersecurity without concrete details that could be considered informational unless corroborated by other indicators of inadequate security practices.

Example Findings:

  • “The CEO’s latest annual report mentions only generic terms about ‘cybersecurity posture’ with no specifics, indicating a lack of detailed engagement.”
  • “There are no public statements regarding the allocation of cybersecurity budgets or dedicated teams, suggesting underfunding and neglect in this area.”

Security Champions Program

Section titled “Security Champions Program”

Purpose: The Security Champions Program Effectiveness Scanner is designed to evaluate and enhance the effectiveness, coverage, and engagement of a company’s security champions program. By analyzing internal documentation, public policies, trust center information, and compliance certifications, this scanner helps ensure that the program is robust, well-distributed, and actively contributing to the organization’s security posture.

What It Detects:

  • Policy Indicators: Identifies mentions of key security policies such as “security policy,” “incident response,” “data protection,” and “access control” in company documentation.
  • Maturity Indicators: Detects references to compliance certifications and maturity models like SOC 2, ISO 27001, penetration testing, and vulnerability scanning.
  • Program Coverage: Evaluates the geographical or departmental coverage of the security champions program by looking for mentions of specific regions, teams, or roles within the organization.
  • Engagement Metrics: Assesses the level of engagement through indicators such as training sessions, participation rates, and reported incidents handled by security champions.
  • Documentation Quality: Checks for the presence and quality of documentation related to the security champions program, including guidelines, best practices, and reporting mechanisms.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: This scanner is crucial as it helps in assessing the effectiveness and coverage of a company’s security champions program, which directly impacts the overall security posture of the organization. By identifying gaps or areas needing improvement, the program can be refined to better protect sensitive information and ensure compliance with regulatory standards.

Risk Levels:

  • Critical: Conditions that could lead to severe consequences such as significant data breaches or non-compliance with critical security policies.
  • High: Conditions that pose a high risk of compromising security, including but not limited to unauthorized access attempts or inadequate incident response mechanisms.
  • Medium: Conditions that may lead to moderate risks if left unaddressed, affecting the program’s efficiency and effectiveness in managing security risks.
  • Low: Informal findings that do not significantly impact security posture but could benefit from improvement for better compliance and practices.
  • Info: General information or observations that are useful for awareness but do not directly affect security risk levels.

Example Findings:

  • The absence of a clear “security policy” document in the company’s intranet, which may lead to inconsistent application of security measures across different departments.
  • Inadequate mention of compliance certifications like ISO 27001 within internal reports and documentation, indicating potential gaps in understanding regulatory requirements.

Security Reporting Culture

Section titled “Security Reporting Culture”

Purpose: The Security Reporting Culture Scanner evaluates incident reporting, near-miss reporting, and feedback loops within an organization to ensure a robust security culture. It assesses whether there are adequate mechanisms for reporting incidents, treating near misses as learning opportunities, and providing continuous improvement based on incident reports.

What It Detects:

  • Incident Reporting Mechanisms: Identifies the presence or absence of formal incident reporting channels, checks for documented procedures for reporting incidents internally, and verifies availability of contact information for security teams.
  • Near-Miss Reporting Processes: Searches for guidelines on near-miss reporting, evaluates whether near misses are treated as learning opportunities, and assesses the documentation and tracking of near-misses.
  • Feedback Loops and Continuous Improvement: Looks for mechanisms to provide feedback on security incidents, checks if there are processes in place for continuous improvement based on incident reports, and verifies the presence of post-incident reviews or audits.
  • Security Policy Documentation: Scans for comprehensive security policies covering various aspects like data protection, access control, and incident response, evaluates their accessibility and clarity, and checks for references to compliance certifications (e.g., SOC 2, ISO 27001).
  • Public Policy Pages and Trust Center Information: Analyzes public-facing policy pages for transparency in security practices, reviews trust center information for detailed incident response procedures, and verifies the presence of compliance certifications on these pages.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com) - This input is necessary to scan the company’s website for security documentation and policy pages.
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”) - Used in search queries to identify relevant documents and policies related to the organization.

Business Impact: The effectiveness of an organization’s incident response, near-miss handling, and feedback mechanisms directly impacts its ability to detect and mitigate security vulnerabilities promptly, thereby reducing the risk of potential breaches and safeguarding sensitive information.

Risk Levels:

  • Critical: Conditions that pose a significant threat to organizational security, such as lack of documented incident reporting procedures or absence of clear contact points for security issues.
  • High: Conditions that indicate a high likelihood of security incidents or vulnerabilities not being addressed in a timely manner, including inadequate near-miss reporting processes or incomplete feedback loops.
  • Medium: Conditions that may lead to moderate risks if left unaddressed, such as unclear security policies or limited access to incident response procedures.
  • Low: Informational findings that do not directly impact security but could be indicative of a less mature security culture, such as the presence of compliance certifications without detailed documentation on their implementation.

Example Findings:

  1. The organization lacks a formal incident reporting channel documented in its internal procedures.
  2. There are no guidelines for near-miss reporting, and past incidents have not been reviewed systematically for improvement initiatives.

Security Decision Making

Section titled “Security Decision Making”

Purpose: The Security Decision Making Scanner is designed to evaluate and analyze the internal security policies and risk management strategies of organizations. It aims to identify gaps in security considerations and risk management strategies by detecting key indicators such as security policy documents, maturity certifications, compliance with standards like SOC 2 or ISO 27001, mentions in public policy pages, and comprehensive information in trust center sections.

What It Detects:

  • Policy Indicators: Detection of key security policy documents including “security policy,” “incident response,” “data protection,” and “access control.”
  • Maturity Indicators: Identification of certifications that suggest a mature security posture, such as SOC 2, ISO 27001, penetration testing, and vulnerability scanning.
  • Compliance Certifications: Verification of compliance with certifications like SOC 2 or ISO 27001 in company documentation.
  • Public Policy Pages: Analysis of public policy pages for mentions of security practices and risk management strategies.
  • Trust Center Information: Examination of trust center information to ensure it includes comprehensive security measures and incident response plans.

Inputs Required:

  • domain (string): Primary domain to analyze, e.g., acme.com. This input is crucial for the scanner to gather relevant documentation from the specified website.
  • company_name (string): Company name for statement searching, e.g., “Acme Corporation.” This helps in identifying and locating specific security policies and statements related to the company.

Business Impact: Ensuring that organizations are making informed decisions regarding their security posture, compliance, and incident response is critical as it directly impacts the overall trust and reliability of the organization in a digital world where data breaches and cyber threats are increasingly common.

Risk Levels:

  • Critical: Conditions that could lead to severe vulnerabilities or non-compliance with critical security standards, potentially resulting in significant data loss or exposure.
  • High: Issues that pose high risk to the organization’s security posture, such as inadequate incident response plans or missing key policy documents.
  • Medium: Findings that are important but may not directly lead to severe consequences, requiring attention for continuous improvement and compliance.
  • Low: Informative findings that provide insights into areas of strength in the organization’s security strategy but do not pose immediate risks.
  • Info: General information about existing policies or practices that offer a baseline understanding but are not critical by themselves.

Example Findings:

  • A company has no documented “security policy” despite being involved in sensitive data handling and exchange, which could lead to significant compliance issues and potential legal repercussions.
  • The trust center lacks detailed information on security measures, indicating a gap in public transparency about the organization’s cybersecurity practices.