If you know AttackIQ, you probably know us as the leading independent vendor of Breach & Attack Simulation systems. We build the best security control validation solution available. So how is it that I say our business is not security testing? Security testing is a major capability of our software platform, but our business is empowering the CISO to design, build, and operate an effective, efficient, and agile security program. In this blog, I’ll talk about why that job is getting harder and our strategy to help the CISO succeed.
A CISO must do one hard thing: protect the business against cyberattacks. The complication is the drumbeat of relentless change: the continuing need for new security capabilities. The threat environment changes, requiring new capabilities. Security technologies and the vendor landscape evolve, requiring new capabilities. And the business is putting in place new capabilities that must themselves be protected. The CISO must be agile in adapting to change and yet maintain operational rigor to manage risk.
None of that is new. What is new is the extraordinary onset of the novel coronavirus, a historically disruptive event that impacts every part of our lives. The COVID-19 era presents CISOs with a radically new security environment. Adversaries are attacking more vigorously under COVID-19, exploiting the vulnerabilities revealed both by the shift to work from home and the broader socio-economic disruptions accompanying the disease. The coronavirus and its socio-economic impact have made the United States and countries around the world more vulnerable to data exploitation, destruction, and disinformation. All of which impact the CISO dramatically.
Practically, however, for the CISO, I believe the most enduring consequence will be the effect on security budgets.
For the last decade, the primary answer to the need for new capabilities has been bigger security budgets. Teams have grown; the number of controls and vendors has grown. That was appropriate. Ten years ago, the industry in the aggregate was woefully underinvested in cybersecurity. But no tree grows to the sky, as they say. We are now more than 10 years into a major infrastructure build in cybersecurity. Before COVID-19, analysts were already forecasting a major slowdown in security budget growth. COVID-19 has accelerated budget scrutinization, stalls and declines. A recent McKinsey article, “COVID-19 crisis shifts cybersecurity priorities and budgets”, said that 70% of CISOs surveyed expected their budgets to go down this year, but they expected to ask for more budget in 2021. For their sake, I hope they are right. But I fear that many will find that to be wishful thinking. A prudent CISO will move from a build-out mode to an optimization mode, focusing on driving productivity in their teams, tools, and overall spend. What is productivity for a security control? It’s effectiveness in protecting against adversary behaviors. Improving productivity requires the ability to prove it. That’s where security testing comes in.
The market already knows this in some sense. According to 451 Research, part of S&P Global Market Intelligence, Voice of the Enterprise Digital Pulse: Budgets & Outlook 2020 study, BAS is an emerging technology that is gaining attention among security professionals. Last year, 451 Research added BAS (along with quantum computing) to the list of selected “emerging technologies” highlighted in Voice of the Enterprise Digital Pulse: Budgets & Outlook 2020 study, which also includes artificial intelligence, data analytics, zero trust and edge computing. Why is Breach & Attack Simulation hot? Because it is time for the industry to move from a focus on building out infrastructure to making sure that it works. That requires investment in optimization capabilities. More is not better. Better is better.
Today’s announcement of the Security Optimization Platform (SOP) and associated supporting announcements collectively represent a major milestone in the execution of our strategy. We have built the world’s best continuous security control validation platform, the AttackIQ Informed Defense Architecture. But, that’s not enough. Our product provides no defense by itself, but works only in conjunction with an array of security control technologies from other vendors. The Preactive Security Exchange (PSE) represents a deep commitment to work together with these vendors on the common mission to improve security control effectiveness and the effectiveness of our security testing. AttackIQ Academy, AttackIQ’s membership in the MITRE Center for Threat Informed Defense, our practitioner-centric customer success organization, and our Blueprints demonstrate AttackIQ’s commitment to establishing the practice of security optimization: improving effectiveness and efficiency across the security organization.
There’s an old saying, “You can’t manage what you can’t measure.” If you can’t measure how well you’re protecting the business against cyberattack (the primary outcome), then your metrics will be activity-based and not outcome-based. The business will get activity, but with an unacceptably high risk of cyber-attack, or, alternatively, an acceptable risk at too high a cost. In the new normal, the CISO must do both: operate effectively and efficiently. AttackIQ’s business is helping the CISO to do that.