At 1 pm, on Tuesday, December 5th, 2017, I’ll be presenting to the Information Systems Security Association (ISSA) in Phoenix Arizona. You can register for the event here. Stop by and meet some of the Verodin team covering Arizona.
My presentation will focus on the urgent need for security instrumentation and the need for organizations to be able to measure, manage and improve security effectiveness.
Security effectiveness has become a leading topic of discussion amongst organizations that are quickly realizing that the legacy model of scanning for vulnerabilities, followed by patching vulnerabilities, and then measuring how effective their security is predicated on the gap between patched and unpatched vulnerabilities simply doesn’t work and never really has.
This isn’t to say that you shouldn’t scan and patch, you should. But you have also invested in a ton of security controls across endpoint, network, email, and cloud, and they aren’t providing the value you need or they can't because they aren’t being automatically and continuously instrumented. In short, you don’t know which security controls are working, which ones are not, or how to fix them. So, you just keep scanning and patching operating systems and applications while your security controls are not doing what you’re paying for.
Many organizations follow this model because it’s simply the way we’ve historically done things, for several decades. It didn’t really work then, and it certainly isn’t working now.