Why Now Is the Time for Security Validation
With tight budgets and a cybersecurity skills shortage, companies need a process, risk framework, and platform to continuously measure, optimize and rationalize security investments.
Did you know…
53% of attacks successfully infiltrated without detection?
Only 9% of alerts are sent to the SIEM?
65% of the time, CISOs are unaware that an attack could bypass their defenses?
Do you know what these statistics mean for your company, or how secure your assets are and what value you’re getting from your security investments? The data comes from the Mandiant Security Effectiveness Report 2020, A Deep Dive Into Cyber Reality, which shares findings from an evaluation of enterprise production environments across 11 global industries. The report reveals that despite a steady growth in security spending, organizations operate under the assumption that they are protected from cyber threats when in fact, most companies will be breached -- or already have been but they don’t know it.
This happens for many reasons, but most frequently because:
Security tools have not been properly configured or have regressed over time,
There are gaps in security protocols,
The IT environment is overly complicated, or
Security teams do not always have visibility to changes made to the IT infrastructure -- which is catastrophic, as one small change in the network can cause environmental drift to security.
This is clearly problematic from a security standpoint but it also means companies are investing in security and not getting the intended value. In today’s economic climate, businesses can’t afford to spend money on technology that doesn’t perform as expected. This was the case before Covid-19 struck, but now, with economic uncertainties and companies needing to cut costs, the mandate has become clear: CISOs and CFOs must work together in new ways to answer the age-old question “Are we safe from attacks?” with quantifiable metrics and proof. How well they do this may very well determine the financial future of the company.
Security Validation: Reduce Risk While Optimizing Performance
What I’m talking about is the need for CISOs and CFOs to validate performance of their security investments. Validation is about measuring the effectiveness of a security program across technology, people, and processes to determine if an organization is getting value from their security spend. It’s also about aligning the security stack with desired business outcomes -- be it cutting costs, reducing risk or strengthening the brand, particularly when measured against the threats most likely to target the business.
This is not easy. Most organizations today have between 30-70 security tools, which lends to IT complexity and overlapping controls. Sure, companies are doing everything they can to maintain a strong security posture. But spending millions of dollars without knowing how well each control is performing or how to optimize each point solution for a particular IT environment is not an effective strategy.
To properly validate security performance, companies need a process, risk framework, and a platform to continuously measure a company’s security effectiveness, validate security performance, and financially rationalize cybersecurity investments. This process and framework cannot be a one-time process. Continuous vigilance and validation must be the new normal in order to protect against the acts of cyberhackers and respond to IT infrastructure drift, and unforeseen acts of nature. Three key steps must be taken:
Assess to understand the relevance of threat intelligence and exposure to a likely attack and establish a baseline of the effectiveness of a company’s current cyber security program.
Optimize to ensure that effectiveness is maintained, if not increased, once gaps and shortcomings are addressed or changes to the organization’s risk profile are established.
Rationalization of financial value and costs means attaching financial value to cybersecurity effectiveness in order to justify spend, reduce costs and eliminate duplication and waste while simultaneously maintaining or increasing security effectiveness in key areas: executive communications, remote working protocols, and customer data protection. Financial rationalization can demonstrate the alignment between the efforts of the cybersecurity technology stack, policies, and people with the desired outcomes, priorities, costs, and risk profile of the company.
I will be hosting a webinar on this topic, Validate Security Performance to Rationalize Investments, as part of the FireEye Virtual Summit at 4pm ET on June 11, in which I will discuss the need for rationalization of security investments and outline key steps to strengthen your security posture and minimize cyber risk. (To register for the webinar visit here.)
Without data-driven evidence of security performance, companies stake their brand reputation and financial performance on assumptions that simply don’t match reality. Only by validating the effectiveness of security controls through automated data measurement, optimization and rationalization can a company maximize protections and minimize risk across the entire business.
To learn more about the FireEye Virtual Summit, or to register, click here.
About the Author
Earl Matthews, Maj General (Ret)
VP Strategy, Mandiant Security Validation
Major General Earl Matthews USAF is an award-winning retired Major General of the U.S. Air Force with a successful career influencing the development and application of cybersecurity and information management technology. His strengths include his ability to lead large-scale, diverse, global organizations that operate, extend, maintain and defend global networks. He has earned a reputation as a motivational leader and change agent focused on delivering technical innovations that resolve complex challenges.
About the Author
You May Also Like
Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024