business need

understanding risk

The disconnect between an organization's cybersecurity assumptions and its true posture is generally so vast that any discussion around "cyber risk" is premature. Remove assumptions and validate effectiveness.
controls
effectiveness
optimize &
rationalize
environmental
drift detection
understanding
risk
“Companies need to urgently validate that their security stack is working in the way it was intended. Verodin is fundamental to understanding and mitigating your risk. Without the ability to proactively and continuously test security efficacy, you’re going to be very much exposed.”
ART COVIELLO
Board Member, Fortune 200 Financial
Former Executive Chairman & CEO, RSA

"CYBER EFFECTIVENESS" BEFORE "CYBER RISK"

Cybersecurity infrastructures have ballooned over the years without the instrumentation necessary to dynamically measure and manage their effectiveness. Business executives want and need to have a data-driven conversation around cyber risk, and many products and methods have appeared to fill the void.

Unfortunately, most current cyber risk scores and reports are misleading at best and fundamentally damaging at worst, as they are based on assumptions rather than evidence.

flawed approaches

The
Questionnaire

Asking questions about assumptions with no evidence or proof cannot reasonably quantify anything, much less risk. Unfortunately, questionnaires have become baked into a lot of legal contracts, while adding little-to-no value.

Control
Check Lists

Many organizations buy a control based upon a business goal with no real validation of if the control is actually accomplishing it. They then use this list of controls to make broad statements around risk with no understanding of what each control is actually doing.

There is a call to "protect customer data," so funds are approved for a DLP, which then gets implemented in alerting-only mode. The desire to stop malware and "advanced threat behaviors" generates funds to purchase a Next Generation Firewall (NGFW), which only actually blocks 25% of the things it is marketed to do out-of-the-box.

Simply owning a technology means nothing. The technology’s effectiveness and configurations must be validated, continuously.

Determining the
"Risk of Being Breached"

Your risk of being breached is 100%. As an industry, we have stated this for years. However, we still turn and market "strategies of prevention" and other false hopes. An organization must understand and continuously quantify its capabilities to prevent, detect and respond to the threats it is concerned about. This has to happen at a large scale before any of the yearly stats about breaches take months to detect will begin to go down in a meaningful way.

failed approaches to
understanding cyber risk

The
Questionnaire

Asking questions about assumptions with no evidence or proof cannot reasonably quantify anything, much less risk. Still, questionnaires have become a staple in legal contracts, while adding little-to-no value.

Determining the
"Risk of Being Breached"

Your risk of being breached is 100%. As an industry, we have stated this for years. However, we still turn and market "strategies of prevention" and other false hopes. An organization must understand and continuously quantify its capabilities to prevent, detect and respond to the threats it is concerned about. This has to happen at a large scale before any of the yearly stats showing that breaches take months to detect will begin to go down in a meaningful way.

Control
Check Lists

Many organizations buy a control based upon a business goal with no real validation of if the control is actually accomplishing it. They then use this list of controls to make broad statements around risk with no understanding of what each control is actually doing.

For example, there is a call to "protect customer data," so funds are approved for a DLP, which then gets implemented in alerting-only mode. The desire to stop malware and "advanced threat behaviors" generates funds to purchase a Next Generation Firewall (NGFW), which only actually blocks 25% of the things it is marketed to do out-of-the-box.

Simply owning a technology means nothing. The technology’s effectiveness and configuration must be validated, continuously.
As a result of these flawed approaches to cyber risk, organizations have had to rely on the promises of buzzwords and assumptions about their cybersecurity posture vs. reality.

Over time, this has led to a massive disconnect between the dollars spent and actual protection value received.

the path to understanding cyber risk

  1. Remove Assumptions and validate control effectiveness
  2. Optimize the controls you have already purchased and deployed
  3. Understand the real gaps and target them with evidence-based tests
  4. Rationalize cybersecurity spend by removing overlapping controls
  5. Combat environmental drift by continuously validating effectiveness
  6. Continuously test the production IT environment against the threats and scenarios targeting business critical assets
  7. Drive decision-making based on the resulting data-driven metrics
Once there, organizations are able to answer specific risk questions and make EVIDENCE-based business decisions rather than relying on assumptions.
controls
effectiveness
optimize &
rationalize
environmental
drift detection
understanding
risk
"In every other risk discipline that an enterprise is managing, there are hard, quantifiable bits of information that you use to tell if you are making progress. Security instrumentation gives us that quantifiable insight into where we need to invest our time, money and people."
FRANK KIM
CISO | Advisor | Educator
SANS Institute