Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
By Earl Matthews, Maj Gen, (Ret), Vice President of Strategy, Mandiant Security Validation
By Earl Matthews, Maj Gen, (Ret), Vice President of Strategy, Mandiant Security Validation
Sponsored Article

Why Now Is the Time for Security Validation

With tight budgets and a cybersecurity skills shortage, companies need a process, risk framework, and platform to continuously measure, optimize and rationalize security investments.

Did you know…

  • 53% of attacks successfully infiltrated without detection?
  • Only 9% of alerts are sent to the SIEM?
  • 65% of the time, CISOs are unaware that an attack could bypass their defenses?

Do you know what these statistics mean for your company, or how secure your assets are and what value you’re getting from your security investments? The data comes from the Mandiant Security Effectiveness Report 2020, A Deep Dive Into Cyber Reality, which shares findings from an evaluation of enterprise production environments across 11 global industries. The report reveals that despite a steady growth in security spending, organizations operate under the assumption that they are protected from cyber threats when in fact, most companies will be breached -- or already have been but they don’t know it.

This happens for many reasons, but most frequently because:

  • Security tools have not been properly configured or have regressed over time,
  • There are gaps in security protocols,
  • The IT environment is overly complicated, or
  • Security teams do not always have visibility to changes made to the IT infrastructure -- which is catastrophic, as one small change in the network can cause environmental drift to security.

This is clearly problematic from a security standpoint but it also means companies are investing in security and not getting the intended value. In today’s economic climate, businesses can’t afford to spend money on technology that doesn’t perform as expected. This was the case before Covid-19 struck, but now, with economic uncertainties and companies needing to cut costs, the mandate has become clear: CISOs and CFOs must work together in new ways to answer the age-old question “Are we safe from attacks?” with quantifiable metrics and proof. How well they do this may very well determine the financial future of the company.

Security Validation: Reduce Risk While Optimizing Performance 
What I’m talking about is the need for CISOs and CFOs to validate performance of their security investments. Validation is about measuring the effectiveness of a security program across technology, people, and processes to determine if an organization is getting value from their security spend. It’s also about aligning the security stack with desired business outcomes -- be it cutting costs, reducing risk or strengthening the brand, particularly when measured against the threats most likely to target the business.

This is not easy. Most organizations today have between 30-70 security tools, which lends to IT complexity and overlapping controls. Sure, companies are doing everything they can to maintain a strong security posture. But spending millions of dollars without knowing how well each control is performing or how to optimize each point solution for a particular IT environment is not an effective strategy.

To properly validate security performance, companies need a process, risk framework, and a platform to continuously measure a company’s security effectiveness, validate security performance, and financially rationalize cybersecurity investments. This process and framework cannot be a one-time process. Continuous vigilance and validation must be the new normal in order to protect against the acts of cyberhackers and respond to IT infrastructure drift, and unforeseen acts of nature. Three key steps must be taken:

  1. Assess to understand the relevance of threat intelligence and exposure to a likely attack and establish a baseline of the effectiveness of a company’s current cyber security program.
  2. Optimize to ensure that effectiveness is maintained, if not increased, once gaps and shortcomings are addressed or changes to the organization’s risk profile are established.
  3. Rationalization of financial value and costs means attaching financial value to cybersecurity effectiveness in order to justify spend, reduce costs and eliminate duplication and waste  while simultaneously maintaining or increasing security effectiveness in key areas: executive communications, remote working protocols, and customer data protection. Financial rationalization can demonstrate the alignment between the efforts of the cybersecurity technology stack, policies, and people with the desired outcomes, priorities, costs, and risk profile of the company.

I will be hosting a webinar on this topic, Validate Security Performance to Rationalize Investments, as part of the FireEye Virtual Summit at 4pm ET on June 11, in which I will discuss the need for rationalization of security investments and outline key steps to strengthen your security posture and minimize cyber risk. (To register for the webinar visit here.)

Without data-driven evidence of security performance, companies stake their brand reputation and financial performance on assumptions that simply don’t match reality. Only by validating the effectiveness of security controls through automated data measurement, optimization and rationalization can a company maximize protections and minimize risk across the entire business.

To learn more about the FireEye Virtual Summit, or to register, click here.

About the Author

Earl Matthews, Maj General (Ret)
VP Strategy, Mandiant Security Validation
Major General Earl Matthews USAF is an award-winning retired Major General of the U.S. Air Force with a successful career influencing the development and application of cybersecurity and information management technology. His strengths include his ability to lead large-scale, diverse, global organizations that operate, extend, maintain and defend global networks. He has earned a reputation as a motivational leader and change agent focused on delivering technical innovations that resolve complex challenges.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-26
All versions of package djvalidator are vulnerable to Regular Expression Denial of Service (ReDoS) by sending crafted invalid emails - for example, [email protected]-----------------------------------------------------------!.
PUBLISHED: 2020-11-26
This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands.
PUBLISHED: 2020-11-26
petl before 1.68, in some configurations, allows resolution of entities in an XML document.
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.
PUBLISHED: 2020-11-26
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.