Don’t Just Measure and Report – Security Effectiveness by Mark Bagley
I could list all the big breaches of the last 10 years – but the logos aren’t what’s most important. The thing they all have in common is consumer impact – billions of consumers globally have had real consequences. Once an enterprise is hacked and its critical assets – like the personal information of its employees and consumers such as birth date, phone number, email, social security number, and credit card information – are compromised, consumer confidence is lost, and the company suffers sometimes, irreversible financial devastation.
Just one attack has the potential to lead to diminished brand loyalty, legal action, lost sales, fines, and remediation costs. The overwhelming nature of these events often puts smaller companies out of business. It is for this reason that determining the effectiveness of cybersecurity is an imperative for anyone involved in digital business. It is now critical to validate that the tools, people, and processes currently in place can and will protect the company’s critical assets against every known threat. Leaders of all organizations need a solution that has the capability of going beyond just measuring and reporting on what is broken. Today’s environment demands that security professionals, from the practitioners to the CISO and CIO, must be able to report on security effectiveness in terms of measurable business impact. And the only way to do that is to have access to evidence-based data that will generate an accurate picture of an organization’s security program.
This requires a platform approach that has the ability to:
- Inform users of not only what is broken, but more importantly, how to fix it.
- When a fix is made, validate that the fix is working.
- Once security tools are working, allow users to apply automation, ensuring that it is validated in perpetuity.
- When controls drift from the known good state for any reason – often due to changes in the overall IT environment – users are alerted to manage by exception.
Only by leveraging these capabilities can defenders ensure that the security controls they depend on are effective. Many organizations are using the MITRE ATT&CK model to bring the perspective on adversary behavior to their defensive programs. While leveraging a model is a good starting point, actual improvements must be made to the program in order to produce tangible business value. More reports that show a “sea of red” broken things don’t help. That’s where security instrumentation programs step in.
By providing real-time, evidence-based data, solutions like Verodin SIP allow for the entire security team – no matter how big or small – to validate what security tools are working and optimize configuration of the security infrastructure to improve effectiveness. Simply put, they know what’s working, what’s not, and how to fix it. Additionally, Verodin SIP provides much needed reporting tools from a business perspective so that company leadership can understand the value and true state of security effectiveness.
One of the things I’ve often heard from customers is that they value just how easy it is – and how well documented the process is – to deploy and use Verodin SIP. In fact, the platform is often deployed within a few hours! We have also found that over a period of just weeks, most customers have increased their security effectiveness significantly. The platform’s unique Advanced Environmental Drift Analysis (AEDA) capabilities help ensure that what is working stays that way, so they are not only mitigating risk, but are actually getting predictable value from their security investments over time.
The bottom line is that any business faces a daily risk of data loss and exposure. This means that strategies must be in place NOW to reduce the chance of a breach – building and improving customer trust. IT security is no longer ‘just another cost’ or something to consider lightly – it’s a strategic business investment that provides real business value by reducing corporate risk.
Want to go beyond measuring and reporting? Learn more about Verodin here and request a demo.
- Malicious File Transfer: What You Need To Know About an Attacker’s Methods and Techniques To Protect Your Organization From Malware by Ursula Cowan
- Verodin LATAM Party (Porto Alegre Brazil) by Brian Contos
- Policy Evasion: Evasive Techniques You Need to Understand to Prevent Breaches and Attacks by Major General Earl Matthews USAF (Ret)
*** This is a Security Bloggers Network syndicated blog from Verodin Blog authored by Verodin Blog. Read the original post at: https://www.verodin.com/post/dont-just-measure-and-report-security-effectiveness
