Cybersecurity programs establish defined goals but lack measurable indicators to gauge effectiveness.
by Brian Contos, CISO, Verodin Inc.
From an objective perspective, it is easy to become desensitized by the current state of cybersecurity. Every headline-grabbing breach plays out like a rerun of a bad sitcom. Still, recent incidents beg the question: why are even the most sophisticated and well- funded cybersecurity programs struggling?
The margin of error in cybersecurity is unprecedented. Modern IT environments are complex and unique, with intricate combinations of products, configurations, and architectures. The fact, a lot has to go right for dozens of disparate tools to work together in concert and be effective. Known and unknown changes in tools, infrastructure, and configurations introduce the risk of unintended errors and blind spots. To add to the complexity, environments are constantly shifting, so there is no guarantee that defenses working today will remain effective tomorrow.
The harsh reality is that cybersecurity as we know it is fundamentally flawed. Unlike other essential business units such as finance and operations, cybersecurity is not measured with quantifiable metrics and optics predicated on evidence-based data. Instead, cybersecurity success criteria are loosely defined and principally based on assumptions. Over the years, cybersecurity infrastructures have ballooned without the instrumentation necessary to dynamically measure and manage their effectiveness. This has resulted in product redundancies, unnecessary complexity, overwhelmed analysts, and wasted dollars. Bottom line: the cybersecurity value perceived is not the value being realized.
Assumption-based cybersecurity is rampant. In a recent poll from Verodin Inc., a broad audience of InfoSecprofessionalsincludingred and blue teams, auditors, and executives, were asked, “How much of your security is based on assumptions instead of evidence?” Not surprisingly, a whopping 97% of responders admitted to managing by assumption to some degree.
In a separate poll, the audience was asked, “Does your leadership leverage security metrics for business decisions?” Only 51% voted for “half the time,” “usually,” or “always.”
If you cannot measure it, you cannot manage it.
A holistic understanding of cybersecurity effectiveness can only be achieved with key performance indicators to measure people, processes, and technology. Today, many enterprises do not have the systems in place to stress-test and continuously validate the protection of their critical assets and business operations. Furthermore, programs cannot produce the evidence required to determine if their efforts and investments are meeting defined goals and satisfying regulatory obligations.
Security Instrumentation elevates cybersecurity to the same standards as other metrics-driven business units. Verodin Inc. offers the first business platform purpose-built to measure, manage, improve, and communicate cybersecurity effectiveness. The Verodin Security Instrumentation Platform (SIP) provides the evidence required to determine if an enterprise’s layered defenses are effective across endpoint, email, cloud, and network tools, enabling organizations to continuously validate the protection of their business-critical assets. From the boardroom to the CISO to the SOC, Security Instrumentation empowers the business to understand and communicate cybersecurity effectiveness with quantifiable metrics.
Prove that core business objectives are being achieved. Large enterprises report having 30 to 70 cybersecurity vendors deployed in their environment. Once the shift is made from assumption-based to evidence-based cybersecurity, it becomes possible to start rationalizing investments. Programs can address questions like, “what’s working, what’s not, what should be replaced, where do we need to allocate resources, and how should we be prioritizing changes?” As we enter 2019, cybersecurity programs would be wise to focus their efforts on maximizing the effectiveness of the investments they already have in place before purchasing that next buzzword. After all, if the foundation is broken, everything is broken. Learn more at verodin.com. (RSA booth #4214)
About the Author
Brian Contos is the CISO & VP of Technology Innovation at Vero- din. With over 20 years of security industry experience, working across more than 50 countries and six continents, he is a seasoned executive, board advisor, security company entrepreneur & author. After getting his start in security with DISA and later Bell Labs, he began the process of building startups and taking multiple companies through successful IPOs & acquisitions including Riptech, ArcSight, Imperva, McAfee and Solera Networks. Brian is frequently interviewed by the press and is a speaker at conferences like Black Hat, BSides, RSA, Interop, SOURCE, SecTor, and OWASP.
Brian can be reached online at (email@example.com, @BrianContos, etc..) and at our company website https://www.verodin. com