The world is now well aware of Yahoo’s cautionary tale of failing to properly respond to their 2013 and 2014 security breaches.
Beyond the class action lawsuits and CEO Marissa Mayer not receiving her 2016 bonus from the board, there is real concern that this will greatly impact and possibly halt Verizon’s $4.83 billion acquisition of Yahoo. Yahoo wasn’t the first organization to suffer a breach and they certainly won’t be the last. But what can we learn from this cautionary tale?
Here are five essential security principles every organization should be applying.
- Know how you are or aren’t continuously measuring security effectiveness across your organization.
- Understand the effectiveness of your existing security technologies when under attacks you control.
- Recognize how your security team responds to attacks you are launching.
- Identify the gaps in your incident response processes during your attack sequences.
- Put in place a mechanism to regularly communicate this information to stakeholders like the executive team and board?
To evaluate your security effectiveness, you must be able to safely execute real attacks in your production environment. Safely, because you don’t want to damage anything. Real attacks, because the “bad guys” don’t use virtual, simulated or fake attacks. And, this must be done on your production network, because evaluating security in a lab is like practicing for your driver’s test by playing Grand Theft Auto instead of actually getting on the road.
These types of evaluations will allow you to assess your security technology, your people, and your processes. You can do this at a point in time and trend it over time. You can also use this for evaluating new products and new hires.
Now, none of this matters if business decision makers are not aware of security issues and equally important, understand them enough to make educated business risk decisions.
All businesses have risk -- security is just one flavor. Deciding to expand to APAC, introduce a new product line, hire someone or update that firewall are all business risks and have to be evaluated under the totality of the entire business – not in an isolated silo of security bits and bytes. As such, being able to produce executive reports about the state of your security effectiveness that is understandable to non-security, non-technical individuals is essential for security, the business, and your stakeholders.
Verodin is defining the emerging concept of Instrumented Security™. Its revolutionary platform empowers enterprises to remove assumptions and prove their security effectiveness with empiric data. Verodin customers are able to dramatically increase the ROI of their existing security investments, achieve maximum value from future spending and measurably mature their cyber prevention, detection and response effectiveness.
Request a demo and learn more about Verodin at https://verodin.com/.