Conducting a Security Technology Assessment

By: Janna Pearman Jacobs

I’ve completed several assessments over the years, and here’s the approach I used for conducting a security technology assessment during my time in the Information Security Office. Keep in mind, at the time of this assessment, IT was mature, but security was new and growing rapidly. Assessing our capabilities and developing a capability roadmap was critical for protecting the company and managing increasing costs.

Step 1: Start With a Security Framework

  • Used frameworks like NIST and ISO Series

  • Collaborated with the Governance, Risk, and Compliance (GRC) team

  • Identified critical security capabilities for the organization

Step 2: Inventory and Map Technology to Capabilities

  • Inventoried all tools performing security functions

  • Mapped each tool back to its corresponding security capability

Process included:

  • Interviewing leaders and engineers to understand tool roles and functions

  • Discovering:

    • Security tools managed outside of security

    • Non-security tools managed within security

    • (Often due to organizational growth and misaligned ownership)

Step 3: Assess Each Tool

Evaluated tools based on the following:

  • Tool Life Cycle Maturity

    • Change management processes

    • Version control

    • Testing environments

    • Upgrades and ongoing maintenance

  • Environment Footprint

    • Number of servers and endpoints

    • Versions deployed across the environment

  • People Supporting the Tools

    • Number of individuals responsible

    • Skill levels

    • Formal/informal training

    • Years of experience

Step 4: Analyze the Data

Captured all findings in Excel to sort/filter and make recommendations.

Looked for opportunities to:

  • Reduce Complexity & Optimize Resources

    • Consolidate tools and right-place ownership

    • Eliminate unnecessary versions to save on storage

    • Cancel unused or unimplemented tool contracts

  • Identify Critical Issues

    • Versioning limitations blocking upgrades

    • Too many versions of the same tool in use

    • Tools lagging 2+ years behind on updates

  • Reduce Risk

    • Critical tools with poor life cycle practices

    • Tools managed by too few people

    • Lack of timely upgrades for key systems

Why This Matters

A detailed assessment like this helps you:

  • Uncover legacy technology decisions

  • Create a roadmap to modernize systems

  • Build a clear capability roadmap (tools, people, resources)

  • Make informed investment and risk decisions

Keep in mind that there is a history behind all technology decisions. An assessment like this requires time, but the insights and clarity you gain...

  • Uncovers legacy decisions

  • Creates a roadmap to bring everything up to date

  • Provides the data necessary to build capability roadmaps for technology, people, and resource needs

  • Informs investment and risk acceptance decisions for the organization

If you are overwhelmed and need help, visit RKCMANAGEMENTCONSULTING.COM and let us help you bring clarity to chaos.