We spent last week at RSA and not only had three presentations and put on a reception that was very well attended, but also participated in many CIO/CISO events. One question we posed to a number of security leaders was:
How are you validating your security posture?
The overwhelming answer was: We don’t. We only find out via a third party or internally once we are breached.
So short of a breach most companies are not qualifying their security program and posture. As long as they don’t see a problem they assume everything is running correctly. And we all know what happens when we assume.
In the face of ever-increasing numbers of attacks, the average enterprise deploys 75 distinct security products (1), receives more than 17,000 alerts per day (2), and spends an average of $115 per employee on security (3). As an industry, we are getting into a cycle of buying more security technologies and then hiring more security engineers to manage those technologies. We need to get a handle on our capabilities sooner rather than later.
The way we do that is to assess your security posture. Validating and challenging your entire defensive chain of technologies, products, people, and processes.
Last week I gave a talk at RSA on the value of continuously validating your security controls. Both from a prevention perspective and a defensive perspective. You as an organization have bought a great deal of security products. You assume those products operate as promised and are configured properly. Shouldn’t you test those assumptions?
Organizations can validate their security controls by proactively instrumenting them. Challenge the assumptions about each security control, both on a holistic level by measuring your entire defense-in-depth chain and on a granular level, creating unit tests for each individual security control. Doing this allows you to have an answer to how you validate your current security controls and determine the ROI of its capabilities. You will be able to confidently answer questions that you were not able to before and minimize the impact of a data breach which before was the only measurement of a successful security program. Don’t just do this annually or when the board of directors asks. Do this daily, weekly, hourly. Make repeatable, consistent testing a part of your routine, just as changing passwords or locking the lobby door occurs on a regular and predictable basis.
Testing assumptions in a data-driven way allows you to make informed decisions. Which technologies are helping to minimize your risk? Which technologies have no value to helping your security posture? Where are your gaps, weaknesses and blind spots that need to be filled with new technologies?
In my next post, I’ll talk about instrumenting your security controls to generate continuous data that lets you know whether your current security architecture is working as expected.