Marco Kapp says people hate risk analyses. "They're paper intensive and people don't understand or believe the results," he says. But rising security threats have made vulnerability and risk assessment an increasingly important part of corporate IT security. And it is this trend that Kapp, co-founder and director of Citicus, an information risk-management software company, is looking to exploit.
Citicus' flagship product, Citicus ONE, manages corporate security risks by consolidating information about multiple systems and departments. This provides a chief information officer with an insight into their company's overall level of risk.
Citicus has a somewhat unorthodox history. Kapp was a founding member of the Internet Security Forum (ISF), an independent group with more than 1,000 large companies among its membership.
Based on data from surveys, ISF developed a risk measurement methodology that includes a simple scorecard with 17 main control areas for IT security. Citicus ONE automates this process. ISF retains the copyright for the methodology, but Citicus has exclusive rights to develop software based on it.
Citicus ONE runs on corporate intranets. Different departments fill out their respective scorecards and the system then gives an immediate risk assessment, along with advice on how security can be improved. Citicus ONE can also track different departments to see if they are driving down their security risks.
Citicus ONE was officially launched at the end of March 2002. Kapp's immediate goal is to work with about 20 organisations – it already has 16 clients – giving these first customers intensive support and helping to set up pilots and roll out the system. He hopes they will ultimately provide strong references for Citicus.
Investment in product development was about EU1.5 million, funded solely by Citicus' founders. The company expects to be profitable by the end of 2002. But it may have to raise some outside funding in 2003 for further expansion. For now, however, it needs to build a strong reputation with clients and, admits Kapp, prove that it has "a product that earns its keep."