As cyber attacks become more frequent, targeted and sophisticated, organizations need to address and measure cybersecurity just as they would any other business function. And that means key stakeholders – from the CISO to the CEO to the board of directors – are focused on aligning security effectiveness with business objectives. Being able to prove where they stand from a risk perspective is just a starting point.
As we shared in our Mandiant Security Effectiveness Report 2020, many organizations are still faced with the challenge of being able to generate the evidence they need to communicate security effectiveness across the business. This is further complicated by a very real disconnect that continues to exist between IT and security, as well as between security leaders and those in the C-Suite.
In a nutshell, security effort does not equal security effectiveness, and without the right tools and resources to continuously measure and monitor controls, security professionals simply do not have the quantitative evidence to know where they have security gaps. And that’s dangerous, because that means they continue to operate under assumptions – as a result, they cannot provide the visibility needed to demonstrate accountability for their security program and provide the confidence that they are not vulnerable to an attack…or, worse yet, they have already been breached but don’t know it.
As shared in our report, here are three stats CEOs need to be asking their CISOs about NOW:
65% of the time, CISOs don’t know that an attack can bypass their defenses
If this is happening in most other organizations, then it can be happening in your company, too. As discussed in our report, the most common causes that we find when working with customers include: outdated classification categories; limited network monitoring on expected protocols; and inadequate tracking and communication of changes for one-off exceptions.
54% of CISOs don’t know their environment is being profiled
After testing network traffic, organizations reported only 4% of reconnaissance activity generated an alert. Common causes cited include network segmentation misconfiguration, lack of internal security control points, and inability to distinguish between reconnaissance from normal network monitoring.
67% of the time there is no visibility into data exfiltration going on in the environment
Without a doubt, data leakage and protection are a top concern for any organization, because once you have been infiltrated, attackers could be stealing your data without your even knowing it. And as noted in our report, what we found startling was that exfiltration techniques and tactics were successful most of the time during initial testing! The most common causes found were due to unknown fail-open conditions in security controls, lack of SSL inspection, misconfiguration of existing security controls, and under-resourced sandboxing techniques or outdated signatures.
In today’s world, every organization is being targeted for an attack, and most likely, they are at a much greater risk than they anticipated. Without evidence-based data, these companies will continue to operate based on assumptions and leaving themselves open to cyber risk. To close the gap, they need adversary-led security validation that enables an automated, continuous monitoring and measurement program. Only then can they know that their security controls are working the way they are supposed to and that their business-critical assets are protected.
Interested in learning how you can validate your controls against current and actual attacks? Visit here to download a full copy of the Mandiant Security Effectiveness Report 2020, including a list of the 10 fundamentals for successful cyber security effectiveness validation.