Co-Founder & CTO of Cymulate. Previously, Avihai was the Head of the Cyber Research Team at Avnet Cyber & Information Security.
getty
Something is broken in the security industry strategy. Business enterprises, government organizations and even non-profits invest millions of dollars in cybersecurity, yet they have no idea how operationally effective and synchronized their security technologies, people and processes actually are.
In practice, unfortunately, cybersecurity-related decisions are always made based on assumptions. Risk assessment, budgetary needs and priorities are the outcome of hypothetical debates and are subject to internal pressures and politics. Both security professionals and business executives continuously seek solutions or methodologies that will put a $ sign next to their investment, as well as risk.
Today, they’re in the dark regarding the actual efficacy of their cybersecurity solutions, the actual protection of mission-critical assets, the suitability of budget allocation per business unit, the exposure due to unpatched vulnerabilities and more. A successful ransomware attack, due to a low level of readiness, can completely turn the assumptions-based equation upside down.
Here are a few common questions that chief information security officers (CISOs) keep asking themselves:
• How do we measure and convey cyber risk to leadership?
• How do we show the value of cybersecurity spend and manage costs?
• How do we prevent regressions and security drift in the face of threat evolutions?
• How do we prioritize vulnerabilities and security gaps?
• How resilient are we to new, immediate threats?
• How can cyber-extortionists hit us with a ransomware attack?
Rationalizing security spend is now possible with continuously automated posture validation tools. These tools, assuming they are comprehensive enough, provide the desired level of visibility and certainty. They replace manual, resource-intensive and limited-scope penetration testing projects and provide benchmarks that both executives and security practitioners can understand and relate to.
A comprehensive posture validation consists of attack surface management — to monitor exposed and vulnerable assets, breach and attack simulation to assess the efficacy of the current controls and continuous, automated red-teaming capabilities to analyze breach paths and ways in.
Getting On The Same Baseline
Such an exercise as posture validation draws a baseline that can provide an answer to the CISO questions listed above. They empower information security teams, enabling them to:
• Pinpoint solution overlap to recoup some redundant investments.
• Compare and contrast the level of investment to the level of risk.
• Know exactly how the organization can be hacked and its readiness to cope with the latest threats.
• Tune and optimize the current cybersecurity solutions and processes.
• Assess posture and policy drift — the equivalent of rejuvenizing aging cells.
Moreover, the data allows a CISO to convey risk accurately and promptly — to those above them in the hierarchy — and discuss investments, budgetary needs, policies and processes. In addition, the data facilitates the conversation downward to their team, pinpointing gaps learned from undetected attacks, testing immediate threats, optimizing current protections vs. the MITRE ATT&CK framework and prioritizing vulnerability patching. The cherry on top is that these tools are completely automated, and these validation tests can run continuously, depicting a “state of the union” at any point in time.
Senior management can use these metrics to quantify ROSI and then make educated business-related decisions with a more precise sense of risk. For example:
• Reevaluate and reinforce the cybersecurity program.
• Remove superfluous controls.
• Replace aging technology when it can't be optimized further.
• Assure compliance.
• Reallocate budgets to more business-critical activities with a higher risk.
Here is a diagram of security as a business process.
This optimization process goes beyond direct costs only. For example, once the risk is reduced (security policy updated, controls reconfigured, patching window minimized, compliance validated), the organization can save on forensics, crisis management retainer, customer compensation, legal fees and fines, brand support, and so on and so forth. The business enterprise, regardless of the industry it’s in, can turn cybersecurity resilience into a marketing message and a competitive advantage.
Another classic example would be when coming across an M&A opportunity — is there a liability? How can we evaluate it? How do we quantify it?
However, a fact-based discussion is only worthwhile when all facts are on the table. That requires a comprehensive assessment and validation of all possible components: assets and vulnerabilities management, prevention and detection security controls, cloud privilege misconfigurations, infrastructure as well as applications and, above all, the human factor: employees, SOC, IRT. A partial assessment, such that focuses on some aspects only, will obviously result in a partial picture where everybody is looking at the wrong baseline, leading to less than optimized, biased decisions and directives, and that would be an opportunity missed.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
