The Verodin team and I have spent many quarters traveling all across the US and abroad. When we’ve been out there giving talks, we’ve also been collecting security statistics from hundreds of audience members via real-time polling software.
The results of these polls have created an interesting cross-section of perspectives. My audiences generally include red and blue security teams, auditors, security executives, and individuals representing various non-technical, non-security leadership roles across government organizations, financial services, transportation, telecom, retail, healthcare, and oil & gas, just to name a few.
For this blog, let’s take a look at the polling question: How much of your security is based on assumptions instead of evidence?
Not unsurprisingly, a whopping 97 percent of the poll responders said that at least some of their security is based on assumptions. 81 percent expressed that at least half of their security was based on assumptions and 10 percent claimed that all of their security was based on assumptions.
I’m not at all shocked by these statistics. In fact, the Verodin Security Effectiveness Report found similar numbers when customers initially starting using Verodin SIP—specifically, in regards to how effective security tools were in production across measures like prevention, detection, and correlation. Basing security on assumptions instead of evidence is one of the main causes of reduced value from security tools and reduced overall security effectiveness. SIP’s ongoing approach addresses this specifically, since instrumentation isn’t about highlighting that only 20 percent of your security is effective—it’s about getting the other 80 percent and keeping it.
These organizations realize that basing security on assumptions isn’t a valid approach. However, until the onset of platforms like the Verodin Security Instrumentation Platform or SIP, even with the best tools and the best people, it was almost impossible to validate security controls with any level of empiric evidence. As such, security was and still is in many cases assumption-based.
Assumptions waste time, money, and resources. And they have the added disadvantage of not even effectively mitigating risk. A legacy approach that many organizations took before SIP was a constant scan-patch-scan methodology but the approach that should be taken includes specifically measuring, tuning, monitoring, and communicating the security effectiveness of actual security tools. For reference, see Verodin’s recent security blog that shared some statistics on this approach, titled “What’s most important to your security program?”
Once the shift is made from assumption-based security to evidence-based security, it becomes possible to start rationalizing security tools. You can address questions like, “What’s working, what’s not, what should be replaced, where do you need to invest, and how should you be prioritizing changes?” Managing security with proof regarding effectiveness changes the entire paradigm of security management and allows organizations to get real value from their current security investments and prove the value that those investments are yielding.