Scott Schanbaum, Co-founder and CTO
Deploying competent cybersecurity measures for an organization has never been more challenging for CIOs. Not only do they have to convince their CEO’s and board members to prioritize both security initiatives and the budget required to develop and maintain them, but they also must be constantly looking five steps ahead. Criminal syndicates are developing more complex hierarchies, partnerships and collaborations that mimic large private sector organizations or are part of the crime-as-a-service for government backed initiatives. Further, CIOs must stay on top of the fast-changing technology landscape to understand and mitigate the cybersecurity threats that accompany new technologies, all while under immense pressure to comply with a bevy of ever-changing regulations. By developing and maintaining custom-tailored cybersecurity programs, Specialized Security Services, Inc. (S3) addresses these concerns by ensuring their clients’ cybersecurity programs are appropriate for their organization, effective and efficient.
S3 supports CIOs with navigating the balance between cybersecurity and compliance by assisting them in making long term, scalable choices rather than reactionary, short-term fixes. “We do this by working with each CIO as an individual, understanding the company’s goals and challenges through their eyes. We listen and do not dictate. We work with our clients as their security partner. Their challenges and goals become ours to ensure their success,” explains Scott Schanbaum, the co-founder and CTO at S3.
With more than thirty industry certifications in systems security, administration and engineering, Scott Schanbaum has been, and continues to be, instrumental in developing collaborative relationships with clients. He is often asked to sit on Executive Boards to assist with their Information Security Programs. With nearly three decades of experience in all phases of cybersecurity, information technology security, privacy, and regulatory compliance, his areas of expertise include identifying system shortfalls, assessing and implementing solutions, as well as managing complex security requirements for clients. Scott Schanbaum and the S3 team provide trusted advice and project management in all areas of information security including, but not limited to, risk management, incident response, policy and procedure development, security architecture, secure payment solutions, ASV, PCI, NIST, HIPAA and HITRUST compliance. “S3 bridges the gap between your business goals, cybersecurity needs and compliance requirements to become your trusted and valued security partner for life,” mentions Scott Schanbaum.
Top-Rated Boutique Information Security Consulting Firm
For over two decades, S3 has successfully assisted organizations with the implementation and oversight of their information security, privacy, and regulatory compliance programs. S3's journey began in 1998, when Scott and Mitchelle Schanbaum, the co-founder and CEO, were working at a New York-based Information Security Company. The enterprise was trying to go public, but the overwhelming fixed cost made it file for bankruptcy. Establishing S3, the duo was confident in striking out on their own—committed to making a difference by cultivating their strong relationships with clients.
As Mitchelle recalls, "It was our previous clients—with whom we had years of relationships—who wanted to continue working with us when we started the company." Many of these companies remain partners with S3 since then, as the company believes in face-to-face interactions and exceptional customer service.
We take the fear and complexity of the situation out of the equation by breaking down actionable steps to provide our clients with a cybersecurity roadmap that is attainable
Today, they are a woman-owned, global cybersecurity firm with headquarters in both Dallas, TX and Europe, that has grown on their foundation of consistency and partnership. To this end, the company plays the role of a steady partner, helping clients to implement a solid cybersecurity practice that is scalable and will sustain for the long term. “We take the fear and complexity of the situation out of the equation by breaking down actionable steps to provide our clients with a cybersecurity roadmap that is attainable,” mentions Scott Schanbaum.
S3 bridges the gap between clients' business goals, cybersecurity needs, and compliance requirements to become the client's trusted and valued security partner. Forming relationships with clients that transcend mergers, acquisitions, staff changes and careers. “This industry is well connected. Many of our clients contact us when they take new roles at other companies and bring us with them. We are proud and flattered that they trust us enough to introduce us to their new companies and assist them with a brand-new set of unique challenges. It really enforces our commitment to nurturing long-term relationships with our clients,” says Scott Schanbaum.
S3's services are branched into six areas: Compliance Assessments, Vulnerability Management Services, Penetration Testing, Security Consulting, Security Assessments and Security Operations Center.S3 is also committed to staying at the forefront of industry developments, researching emerging technologies and understanding how they may impact their clients’ information security programs. The company is currently working on obtaining its CSA Star Certification for cloud environments and expanding its ISO Certification business.
The company also prioritizes professional development—keeping their skills fresh and current by yearly recertifications including PCI, ASV and HITRUST. As well as exploring new challenges and providing solutions such as API testing, which Scott recently presented at the ISACA CACS North America Convention to a record-breaking crowd. “The key is to take a very complex security risk, learn all you can about it and then break it down into something simple and easy to understand. Once you do that, it makes it much easier to master and identify potential security risks.” Says Scott Schanbaum.
Marrying IT with Information Security for Vulnerability Scanning
We asked Scott to comment specifically on their approach to Vulnerability Scanning and CVSS ratings. "A truth about CVSS ratings is that they fail to address a crucial aspect. A single vulnerability can impact multiple systems and cannot account for the actual risk of vulnerability in each company," says Scott.
For example, if three companies are affected by a single vulnerability, it can affect each system and company differently. Moreover, every CIO or CISO has a different approach to risk acceptance, and to the extent technology plays a role in their enterprise. The ability to dig down and address all these unique business requirements is a strength and core competency of S3.
To achieve this goal, S3 works to understand each client's environment, culture, technology, expertise and operations before suggesting any solution or starting an assessment. By doing this, S3 can marry the needs of the business with what information technology and security can bring to the table and make it an integral part of the project development. The tools employed for vulnerability assessment depend explicitly on a given business environment, and they seamlessly align with the environment's requirements. This ensures that security and vulnerability management become a regular part of the business process.
"Enterprises must remember that without an effective cyber risk governance program, even the best of vulnerability management programs will not work"
“Vulnerability remediation, nonetheless, requires more than just an assessment or providing compensating controls. It mandates not only the identification of vulnerability but also finding its root cause.” Says Scott Schanbaum. Additionally, S3 uses robust cyber risk governance to secure an enterprise's operations and existing applications.
In a recent project, a client contacted S3 for assistance in carrying out quarterly vulnerability assessments. However, the client had not performed a vulnerability assessment in years. To make matters worse, the client failed to place a robust security patching program when it decided to outsource its IT operations. S3's initial assessment revealed approximately 20,000 vulnerabilities residing on numerous servers, desktops and networking gear, end-of-life software, broken processes, and disparate systems to which the IT department had not known about. As Mitchelle states, "How can an IT team manage systems and applications that they don't even know are being used? Enterprises must remember that without an effective cyber risk governance program, even the best of vulnerability management programs will not work." S3 went beyond identifying the cause of vulnerabilities, remediating them, and providing compensating controls to transform the enterprise culture and create a viable and sustainable vulnerability management program to address risk for the client.
S3 regularly encounters many similar customers with scores of vulnerabilities to be remediated within a limited time frame. The company has never failed to ensure that its clients fulfill all compliance requirements while being mindful of the enterprise budget and unique business needs.
The Information Security Mavericks
Having carved a unique niche, S3 is stepping up to meet clients’ expanding needs domestically, as well as globally. Over the last few years, S3 has built a strong presence in Europe and is growing the business in Central America, South America and Asia. “Security is often just as much a people issue as a technology issue. Establishing a good foundation and investing in prevention is far more desirable and inexpensive than dealing with the after-effects of an attack. Regular program maintenance including annual employee awareness and training, revaluation and assessment, testing, patching and remediation of any issues are vital components to any robust cybersecurity program, and that’s where we steer ahead,” concludes Scott Schanbaum.