You trust your bank to correctly track and transfer all of your expenses, right? That’s their job. Yet we still periodically check our balances and balance our checkbooks to make sure there have been no mistakes. “Companies need to spend more time ensuring that their security controls are working the way that they designed them. Continuous assurance that your tools are functioning properly is much better than a one-and-done pen-test performed annually,” says John Pironti, President of IP Architects. He recently wrote an article for a JMI Equity Newsletter where he shared some interesting security perspectives.
John reminisces about talking with CISOs when the WannaCry Ransomware hit in May 2017. CISOs wanted to know what they had to buy to make WannaCry go away. John told them, “Don’t buy anything.” You see, there is often a kneejerk reaction to invest in new tools when something like WannaCry garners massive media attention. John advised them to invest in making their core IT operations better as opposed to buying the next shiny thing.
Making what you’ve got better is a simple yet powerful idea. The Verodin Security Instrumentation Platform (SIP) is all about allowing organizations to continuously validate their security efficacy across people, processes, and technology. Verodin SIP empowers organizations with configuration assurance and assists with product procurement, optimization, and retirement.
As a foundational security solution that actually helps improve security effectiveness, Verodin SIP is directly in line with John’s statements. Let’s take what you’ve got and make it better. Should there be a legitimate technical problem that is outside of the organization’s acceptable appetite for risk, then new solutions should be entertained.
Security today is more strategic than ever before as it aligns with core business initiatives and has to be measured like other strategic business units. Because of this, it’s not just the offensive and defensive security teams and the CISO that care about security anymore. It’s the CIO, CFO, CEO, boards and audit committees on those boards that have shown increased interest.
Auditors and business executives are no longer asking if the security team has solutions in place to mitigate risk because the answer is almost always “yes.” They want to know, with evidence-based data, if the security solutions in place are actually doing what they have paid for. There is increased enthusiasm for proving value, as there should be. Just because a security product is running, there shouldn’t be an assumption that it’s doing what you need. Trust but verify comes to mind.
John goes on to talk about the disconnect between how security vendors and c-suites view risk. This disconnect makes it a challenge when the security team attempts to report the state of security effectiveness and it’s not at all aligned with business priorities and risk.
Verodin SIP provides the empiric evidence needed to communicate to technical and non-technical decision makers, the state of security effectiveness. Verodin SIP also helps you generate reports so not only can you measure, manage and improve security effectiveness, but you can discuss security issues in terms that are relevant to the business.
For example, instead of simply requesting millions of dollars for a new DLP solution because data is valuable and everyone else is buying DLP, you can back up the request with quantifiable evidence such as:
- There is a data leakage problem from the critical server network to the Internet
- Verodin SIP has demonstrated that data leaks are not being blocked or detected
- Verodin SIP has shown that sensitive customer PII can be exfiltrated over several conduits without obfuscation
- There are no security controls between the critical server network and the Internet today that can be instrumented to address the data leak problem
- This is not an ethereal risk – this is a proven problem
Now the conversation becomes a business discussion. Is the risk to the business of a data leak containing customer data greater than the cost of a DLP solution? Technical and non-technical decision makers can then determine the correct course of action more quickly and from a more informed stance thanks to Verodin SIP.
Security instrumentation is all about managing, measuring and improving security effectiveness and delivering value. It’s also about more strategically aligning security with the business mission. The time to demand greater security effectiveness is hear. Check out how Verodin can help.