Assessing Your Organization’s Cyber Security Risk with S2ORG

You’ve likely checked your personal FICO® credit score recently. Did you know there’s a similar way to assess your organization’s cyber security risk? It’s called S2ORG by SecurityStudio.

Standards like FICO® Scores allow lenders to assess risk before issuing credit. Wouldn’t it be great to be able to automate the complex task of evaluating a company’s overall cyber security and its risk of an information security incident. Our security partner SecurityStudio has developed an assessment tool called S2ORG that measures a company’s information security program on a scale from 300 (not secure) to 850 (excellent) and identifies your company’s level of vulnerabilities, gaps and deficiencies in your security program. Get an S2ORG assessment now.

1) An S2ORG Assessment is easy to understand.
Information security is a complex discipline with many moving parts, but SecurityStudio’s S2ORG process simplifies the communication about how your information security program is performing. You don’t need to be an information security expert with years of experience to understand what S2ORG is telling you. One simple number represents your overall risk, and additional indicators show where your most significant risks are.

2) S2ORG can tell you what everyone else is doing.
Hundreds of organizations have received their S2ORG score and this allows for solid, fact-based comparisons. One of the common questions we receive about information security is, “What is everybody else doing?” This question comes from the responsibility for due care/due diligence, liability, and knowing that there’s “protection in the herd.”

Once your full S2ORG assessment is complete, you’ll receive a risk measurement, from 300 (not secure) to 850 (excellent).

3) With S2ORG, you can track progress.
S2ORG is a point of reference that should be used to track progress and to determine whether risk is maintained within your tolerance. Your information security program and risks are always getting better or worse; they never stay the same. Questions about progress, regular reporting, and support for maintaining your information security program are all answered.

4) An S2ORG Assessment is objective.
S2ORG is maintained by an independent organization that doesn’t do consulting work, and has no other purpose but to provide accurate measurements of information security risk. In addition to organizational objectivity, the score is also objective. FISASCORE is calculated through the measurement of thousands of objective characteristics that take much of the guesswork and opinion out of the equation.

5) An S2ORG Assessment is credible.
S2ORG was developed over the course of more than 15 years through the work of seasoned information security practitioners and is now on its fifth major release. S2ORG is based on generally well-accepted information security standards. The criteria for measurement are all reference-able to the NIST Cybersecurity Framework (CSF), and its supporting standards: NIST SP 800-53, COBIT, ISO 27001:2013, and CIS CSC.

FRG offers the SecurityStudio S2Vendor module as a solution for organizations to determine how secure their vendors and partners are.

6) S2ORG represents risk.
Risk is the combination of vulnerabilities and applicable threats that manifest themselves into the likelihood of something bad happening and the impact if it did. If there is no vulnerability (or weakness) in a control, there is no risk. If there is a vulnerability in a control without an applicable threat, there is also no risk. An S2ORG measurement represents the analysis of hundreds of controls, thousands of vulnerabilities and thousands of threats, resulting in likelihoods and impacts of bad events.

7) S2ORG is comprehensive.
Fundamental to the S2ORG measurement is our definition of information security: The application of administrative, physical, and technical controls to protect the confidentiality, integrity and availability of information. There are four Phases:

Phase 1 – Administrative Controls
Phase 2 – Physical Controls
Phase 3 – Internal Technical Controls
Phase 4 – External Technical Controls

All four parts of the information security program must work well together. A weakness in one control can lead to a collapse of all others. The phases are further segmented into sections, and the sections are further segmented into controls. The final report is presented both high level and then digs deep in the details.

8) There is fast-growing community support for S2 Scores.
The partner community behind the S2 system is critical to its success. Partners work to generate S2ORG, S2VENDOR or S2TEAM scores for their clients, but the partner community is also vital to future improvements and considerations. The partner community participates in further improvements of the methodology, shares critical information, and evangelizes the need for a common information security language. Our partners include IT service companies, CPA firms, insurance brokers and security consulting companies.

9) S2ORG Scores are an indicator of future losses.
As S2ORG continues to evolve, we get closer to understanding the true losses behind information security incidents and breaches. S2ORG provides the framework for predicting future information security losses accurately, using the best information available. Today S2ORG is tied to research conducted by the Ponemon Institute for loss data.

10) Utilizing S2ORG is a competitive advantage.
Information security as a competitive advantage? Yes, absolutely! An S2ORG Assessment is a representation of the efforts you’ve put into information security and it’s a demonstration that you know where your most significant information security risks are. Armed with this information, you can make an objective case to your customers that you take information security seriously, backed by experienced information security experts, a community of partners, and a clean methodology. Don’t forget the fact that you can now invest your information security dollars where they will have the greatest benefit.



FRG is a trusted partner providing information cyber security solutions to organizations large and small.

Wondering about how your partners’ and vendors’ S2 Scores might affect yours? Use S2Vendor to evaluate the risks presented by the providers you rely on.

Want to get a free S2ORG assessment? CLICK HERE.



Support Tee It Up For The Troops

As a veteran-owned small business, FRG proudly supports U.S. soldiers and their families. Our president, Ryan Heining, was a founding sponsor of the amazing Tee It Up for the Troops program back in 2005 and has a track record of rallying support for the organization through partnerships within the AV industry to help sponsor events across the country.

Tee It Up for the Troops Commitment

Tee It Up for the Troops believes in engaging and inspiring communities across the United States to do great things on behalf of the military men and women who have served and sacrificed so much for our freedoms. Tee It Up for the Troops combines golf events with an inspirational ceremony, instilling a sense of pride, honor, respect and appreciation for all those who have served and given so greatly.

We “Honor, Respect, Remember and Support” military veterans and their families through charitable support powered by our leadership, coordination and execution of local golf tournaments. This effort enables us to serve as a national foundation that facilitates physical, psychological and emotional support with individuals and organizations, through grants of money, equipment, time and talent.


History of Tee it up for the Troops

Tee It Up for the Troops was founded in 2005 when the family of a soldier serving in Iraq asked him what he needed. His response was “Forget about me, do something for the soldiers and their families back home”. Tee It Up for the Troops was established to honor that selfless request.

Since those humble beginnings, Tee It Up for the Troops has hosted over 475 fundraising events in more than 40 states across the USA.

These events have allowed us to donate over $10,000,000 to local veterans organizations that support our wounded warriors, as well as to national charities such as Fisher House Foundation and Warfighter Sports, a division of Disabled Sports USA. Donations now exceed more than $1 million annually.

Our support of our American Heroes was never meant to end once they came home from War. We must never forget the service and sacrifice of these brave men and women. Help us honor them by hosting, sponsoring, participating, or volunteering at one of our special events across the country.


Learn More


AV System Cyber Security

Lessons to Learn for AV System Cyber Security


Major corporations and retailers continue to experience data breaches despite the lessons learned in marquee attacks.


It has been nearly five years since one of the world’s largest retailers experienced a system data breach that exposed personal information and credit card details to nearly 110 million customers. While much was learned from details surrounding this incident, some key findings highlight measures worth considering in any organization’s cyber security plan:

Harden Fringe Access Points

To gain initial access, an email phishing campaign targeted a 3rd-party HVAC contractor who had access to corporate networks through the retailer’s vendor portal. Once the attacker had access into this fringe network access point they were able to navigate and stage the next steps of their attack.

Takeaway: Any organization that allows third-party vendors or partners to access corporate networks – be it via cloud connections or while working on-site – needs to demand partners follow cyber security protocols and include fringe access points and in their overall Cyber Security Plan. Fringe access points include audio-visual systems and networks used for video conferencing and meeting room collaboration which may be installed directly onto the internet and not implemented behind a firewall.

Ensure Real-time Intrusion Detection

The compromised contractor in the incident may have utilized a free version of malware detection software which did not provide real-time intrusion detection.

Takeaway: Free and other scan-on-demand malware detection solutions that don’t automatically update or access worldwide threat profiles are a security risk. A legitimate Intrusion Detection System (IDS) needs to access up-to-date, global threat profiles in realtime.

Ensure both Internal and External Threat Detection & Prevention

Once the corporate network was compromised the attacker was able to execute code malicious code within the network that spread until it reached the retailer’s POS systems and sensitive customer data. While the retailer did employ a tool that noticed the suspicious activity within their network, the system didn’t immediately thwart the activity and the retailer’s teams seemed to ignore the warnings.

Takeaway: a successful cyber security Intrusion Prevention System (IPS) needs to identify and prevent malicious behavior both outside and within the network.


Speed Matters in AV System Cyber Security


In securing the systems in your meeting/conference spaces, and across your organization, speed is of vital importance.


Latency – Microseconds Matter

We continue to read stunning accounts of often hi-tech organizations who experience data breaches and often don’t realize it has happened for hours or even days after the incident. Whether you’re aiming to prevent orchestrated hacker attempts or DDoS attacks–or simply trying to identify and prevent viruses or malware on employee USB thumb drives or other BYOD devices from infecting your meeting room systems (and beyond) the performance speed of your security solution matters. Response time to identify and shut down threats needs to be measured in microseconds. Given the sophistication of modern black hats, if your system security solutions aren’t able to identify and shut down threats in fractions of a second it might already be too late.

User Experience

At a very basic, user experience level, if your team actually notices that your cyber security or anti-virus systems are running scans in the background on your devices, not only does it negatively affect their productivity, it might lead them to choose to bypass your solutions. Beyond that, if you notice your cyber security solution working in the background, it might simply mean that the system just doesn’t perform at speeds needed to keep your data safe.

Reactive vs. Proactive

When it comes to cyber security systems, many rely on databases of “known threats” which trigger a security response. Modern hackers and their sophisticated bots are continually morphing attacks into new varieties that don’t fit the profile of existing, known threats. A cyber security solution that relies only on known threats, or doesn’t update its threat profiles frequently enough is prone to fail.

Real-Time Reporting

The speed at which cyber security solutions identify and shut-down threats is just one part of the story. Particularly in meeting and collaboration systems which might not be regularly monitored by core IT service teams, waiting hours or even days to be notified of significant threat activity is unacceptable. Real-time reporting via dashboard and ticketing systems is imperative.