Contrary to the “magic black box” myth, cybersecurity programs can (and should) perform like any other metrics-driven business unit. But a critical ingredient often missing is clear communication to executive leaders.
How are you demonstrating the effectiveness of your layered defenses to the “powers that be?”
It’s a question that is coming up more and more now that cybersecurity leaders finally have a seat at the “adults’ table.” Exec management invests millions of dollars, deploys hundreds of tools and exhausts massive amounts of effort to keep their organizations “safe” from cyber threats. It falls on security practitioners to prove the effectiveness (or ineffectiveness) of cyber initiatives, identify fundamental risks to the business and communicate with straightforward, evidence-based reports.
Art Coviello, former RSA Chair, says it best in a recent interview with Information Security Media Group. Coviello advises security leaders that:
“Increasingly, all boards are looking at cyber as a fundamental risk… Boards are getting to that level where they understand they need to create a culture of security. Then, it becomes incumbent for practitioners to educate them… not with jargon but with ‘plain talk’. And, helping them understand exactly what the risk is BEFORE they start talking about solutions or APT attacks and other jargon that practitioners tend to do. So, help them understand.”
It all comes down to (you guessed it) good communication. OK. Sounds simple enough… but, every security leader knows this is easier said than done. Lack of visibility beyond traditional, point-in-time security assessments make it impossible to truly understand and communicate cybersecurity effectiveness. Without systems in place to continuously challenge and validate layered defenses across people, processes, and technology, organizations are forced to manage cybersecurity programs through assumptions and hope. The kneejerk response to this uncertainty is to pile on more “solutions” to the stack.
Verodin is seeing that the average F500 has deployed 100+ different cybersecurity products. Naturally, a significant amount of these tools overlap and further complicate the environment. We, at Verodin, call this condition “Security Tools Overload.”
Side effects of Security Tools Overload include but not limited to:
- Wasted time and money
- Over-complicated environment
- Slower detection and response times
- Elevated risk
- Alert fatigue
- Shelfware pile up
- Solution overlap
- Lack of visibility
- Ineffective teams and processes
Organizations in every vertical suffer from this condition… And, it’s largely due to the one-size-fits-all marketing messages spat out by vendors. Verodin recently produced a hilarious spot about security buzzwords that confirms infosec leaders’ complete disdain for “marketing fluff.” Even though the video is humorous, this systematic lack of clarity leads to unrealistic expectations which are seriously unfunny. It’s no wonder Art Coviello’s keynote at the Washington Fraud and Breach Prevention Summit was entitled “An Industry and Practitioners in Crisis.”
Back to the interview, Art goes on to warn security leaders everywhere that:
“If you don’t start with maintaining… I don’t mean doing it once. But, constantly evolving your understanding of risk then there’s just no way you can cost-effectively create a system of security infrastructure that’s going to work for you in anywhere near a coherent fashion. Most of what I see is incoherent… It’s just grab another product to solve another problem… But, before you know it, they’ve got four or five redundant products… They don’t know which one to pull out… And, again, they don’t even know what risk they’re mitigating. So, it’s a complete disaster.”
A similar sentiment is voiced in a separate video interview with former Blackstone CISO and Verodin customer, Jay Leek.
“We’ve deployed all these technologies, so you often wonder: ‘Am I getting the return on my investment?’ I sit in so many different rooms with leading security CISOs from Fortune 500s and ask the following question: ‘Have you EVER retired a security control in your environment?’ The answer is always ‘no’ — because everyone’s afraid to pull something out.”
Look, I know this is kind of a buzzkill blog to post on a Monday, BUT there’s a happy ending to this backward security saga. Verodin provides a metrics-driven path out of Security Tools Overload to a new world of streamlined communication up (and down) the ladder.
Verodin enables customers to:
- Expose true gaps across people, processes, and technology
- Maximize ROI from existing security investments
- Streamline communications with the exec management and board
- Clearly, demonstrate security spend-to-value
- Identify overlapping security tools and deadweight controls
- Improve processes and measurably mature defenses
Verodin is the first business platform to measure, manage and improve cybersecurity effectiveness. The Verodin Security Instrumentation Platform (SIP) enables organizations to understand and communicate cybersecurity effectiveness with quantifiable, evidence-based data. By demonstrating the impact of modern threats and malicious activities within the context of your environment, Verodin SIP proves the effectiveness of your investments, proactively identifies configuration issues in your security stack and exposes true gaps across your people, processes, and technology. Verodin provides clarity on what a threat means for you and empowers you to drive decisions and priorities with empirical data. Verodin dramatically increases the ROI of existing and future security investments and quantifiably measures if security posture is improving or regressing over time.
Learn more at verodin.com