A “Good” estimated S2SCORE^® means that you have really spent time, money, and effort building a good information security program. The foundation of your program is laid, and now you’re in “maintenance mode,” although you still have some major projects and tasks to accomplish. The return on each information security dollar starts to diminish for organizations with a “Good” S2SCORE, so it’s very important to spend each information security dollar wisely and to effectively communicate your information security measurement of risk. To accomplish this, schedule the full S2SCORE assessment with your partner, which will give you a clear picture of where to focus via a detailed Action Plan.

An “Excellent” S2SCORE^® is a rarity and something to take pride in. It’s obvious that your organization has spent significant amounts of time, money, and effort to build a best-in-class information security program. You have the proper structures in place to maintain what you’ve painstakingly built, and now you can focus on 1) continuous improvement and 2) finding more tangible returns for your investment. Schedule the full S2SCORE assessment with your partner, which will give you a clear picture of where to focus via a detailed Action Plan, so you can share this with your customers, executive management, and boards of directors. A compromise of your defenses will always be a possibility, but you will likely detect such an event early on and be in a position to limit damages.

A “Fair” estimated S2SCORE^® means that you have done some really good things with respect to your organization’s information security; however, significant gaps/risks still exist. Some of the foundational components of the program are in place, and it’s time for the program to mature into a more formal business initiative. This is the point in the program where information security expenditures need to start providing real and tangible results. The question, “where should we spend our next information security dollar?” is an important one to support with facts instead of gut instinct. Start by scheduling the full S2SCORE assessment with your partner, which will give you a clear picture of where to focus via a detailed Action Plan. A compromise is still very much possible, but you are more likely to detect it and respond with some effectiveness. If executive management is involved with information security, which they probably are, continued improvement will only help them make better risk-based decisions.

A “Poor” estimated S2SORE^® means that you have significant areas of improvement for information security in your organization. Your information security program is not mature enough for sustained improvement, and a significant compromise is possible in the short term. Whether or not your organization would notice the threat, attack, and eventual compromise is not well known. Without significant improvements in your information security program, executive management’s decisions regarding security may not be easily defended should an adverse event occur. It’s imperative that you schedule the full S2SCORE assessment with your partner, which will give you a clear picture of where to focus via a detailed Action Plan.

A “Very Poor” estimated S2SCORE^® usually means that you haven’t taken the necessary basic steps to protect your organization from a variety of threats. The information security program lacks formality, and a significant compromise is likely in the short term. To make matters worse, depending upon the type of threat, the compromise may go unnoticed for an extended period of time. If a compromise were to become known, executive management may not have the necessary proof to defend the organization against civil actions. It’s imperative that you schedule the full S2SCORE assessment with your partner, which will give you a clear picture of where to focus via a detailed Action Plan.