Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/8/2020
09:00 AM
By Earl Matthews, Maj Gen, (Ret), Vice President of Strategy, Mandiant Security Validation
By Earl Matthews, Maj Gen, (Ret), Vice President of Strategy, Mandiant Security Validation
Sponsored Article
100%
0%

Why Now Is the Time for Security Validation

With tight budgets and a cybersecurity skills shortage, companies need a process, risk framework, and platform to continuously measure, optimize and rationalize security investments.

Did you know…

  • 53% of attacks successfully infiltrated without detection?
  • Only 9% of alerts are sent to the SIEM?
  • 65% of the time, CISOs are unaware that an attack could bypass their defenses?

Do you know what these statistics mean for your company, or how secure your assets are and what value you’re getting from your security investments? The data comes from the Mandiant Security Effectiveness Report 2020, A Deep Dive Into Cyber Reality, which shares findings from an evaluation of enterprise production environments across 11 global industries. The report reveals that despite a steady growth in security spending, organizations operate under the assumption that they are protected from cyber threats when in fact, most companies will be breached -- or already have been but they don’t know it.

This happens for many reasons, but most frequently because:

  • Security tools have not been properly configured or have regressed over time,
  • There are gaps in security protocols,
  • The IT environment is overly complicated, or
  • Security teams do not always have visibility to changes made to the IT infrastructure -- which is catastrophic, as one small change in the network can cause environmental drift to security.

This is clearly problematic from a security standpoint but it also means companies are investing in security and not getting the intended value. In today’s economic climate, businesses can’t afford to spend money on technology that doesn’t perform as expected. This was the case before Covid-19 struck, but now, with economic uncertainties and companies needing to cut costs, the mandate has become clear: CISOs and CFOs must work together in new ways to answer the age-old question “Are we safe from attacks?” with quantifiable metrics and proof. How well they do this may very well determine the financial future of the company.

Security Validation: Reduce Risk While Optimizing Performance 
What I’m talking about is the need for CISOs and CFOs to validate performance of their security investments. Validation is about measuring the effectiveness of a security program across technology, people, and processes to determine if an organization is getting value from their security spend. It’s also about aligning the security stack with desired business outcomes -- be it cutting costs, reducing risk or strengthening the brand, particularly when measured against the threats most likely to target the business.

This is not easy. Most organizations today have between 30-70 security tools, which lends to IT complexity and overlapping controls. Sure, companies are doing everything they can to maintain a strong security posture. But spending millions of dollars without knowing how well each control is performing or how to optimize each point solution for a particular IT environment is not an effective strategy.

To properly validate security performance, companies need a process, risk framework, and a platform to continuously measure a company’s security effectiveness, validate security performance, and financially rationalize cybersecurity investments. This process and framework cannot be a one-time process. Continuous vigilance and validation must be the new normal in order to protect against the acts of cyberhackers and respond to IT infrastructure drift, and unforeseen acts of nature. Three key steps must be taken:

  1. Assess to understand the relevance of threat intelligence and exposure to a likely attack and establish a baseline of the effectiveness of a company’s current cyber security program.
  2. Optimize to ensure that effectiveness is maintained, if not increased, once gaps and shortcomings are addressed or changes to the organization’s risk profile are established.
  3. Rationalization of financial value and costs means attaching financial value to cybersecurity effectiveness in order to justify spend, reduce costs and eliminate duplication and waste  while simultaneously maintaining or increasing security effectiveness in key areas: executive communications, remote working protocols, and customer data protection. Financial rationalization can demonstrate the alignment between the efforts of the cybersecurity technology stack, policies, and people with the desired outcomes, priorities, costs, and risk profile of the company.

I will be hosting a webinar on this topic, Validate Security Performance to Rationalize Investments, as part of the FireEye Virtual Summit at 4pm ET on June 11, in which I will discuss the need for rationalization of security investments and outline key steps to strengthen your security posture and minimize cyber risk. (To register for the webinar visit here.)

Without data-driven evidence of security performance, companies stake their brand reputation and financial performance on assumptions that simply don’t match reality. Only by validating the effectiveness of security controls through automated data measurement, optimization and rationalization can a company maximize protections and minimize risk across the entire business.

To learn more about the FireEye Virtual Summit, or to register, click here.

About the Author

Earl Matthews, Maj General (Ret)
VP Strategy, Mandiant Security Validation
Major General Earl Matthews USAF is an award-winning retired Major General of the U.S. Air Force with a successful career influencing the development and application of cybersecurity and information management technology. His strengths include his ability to lead large-scale, diverse, global organizations that operate, extend, maintain and defend global networks. He has earned a reputation as a motivational leader and change agent focused on delivering technical innovations that resolve complex challenges.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
CVE-2020-25791
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
CVE-2020-25792
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
CVE-2020-25793
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.