Quantifying Security Posture is Key to Mitigating Risk

“The security discussion starts with risk, but what has become very apparent at the board level is that most don’t really understand what’s in front of them.”

These were the words of Ali Neil, director international security, Verizon, speaking at The European Information Security Summit 2019 in London. Neil said that quantifying security posture is key to mitigating risk, and “we need a means of measurement” for proving that value to business leaders.

Neil presented a ‘360º Risk Visibility’ assessment of the security industry that highlighted the following:

In 70% of attacks where we know the motive for the attack there is a secondary victim
Traditional risk evaluation is often done through point in time engagements
Supply chain audit is increasingly burdensome, diverse in method and costly
Security programs must be programs of continuous improvement and their budgets and efficacy validated
Risk evaluation in M&A activity is an increasing factor and workload
Strategic, operational and tactical intelligence needs to be decoupled and provided to the right business user
Organizations and service providers need a dynamic tool to measure the efficacy of their security strategy

He therefore suggested a framework of what is needed in order to do an effective risk measurement of where an organization sits in the market.

The first step of that framework is rating: using data from public sources on the internet, where external risk vectors are identified and evaluated to provide a risk rating.

The second is an external risk view, contextualized: external risk vectors data is augmented with the DBIR's three pattern data and dark web analytics for an enhanced external rating.

Third is an internal view from endpoint and infrastructure: a refined security posture rating through an internal scan for malware, unwanted programs and dual usage tools within your endpoints and infrastructure.

The fourth step is a culture and process view: an in-depth, onsite assessment of the security culture, processes, policies and governance within an organization.

Lastly is a security posture rating: an aggregated rating across all levels providing a 360º view of a company’s cyber-risk posture.

#TEISS19: Quantifying Security Posture is Key to Mitigating Risk

Michael Hill

You may also like

Cybersecurity Skills Gap Beginning to Have Real Effects on Business

CISOs' Role Becoming More Strategic, But there Are Growing Pains

Infosecurity Europe 2013: Risk management means engaging the board

#RSAC: How to Get and Maintain Your Risk Appetite

Answers to Board Questions Should Educate, Engage

What’s hot on Infosecurity Magazine?

Linux Cerber Ransomware Variant Exploits Atlassian Servers

US Government and OpenSSF Partner on New SBOM Management Tool

Insider Threats Surge 14% Annually as Cost-of-Living Crisis Bites

UK Police Lead Disruption of £1m Phishing-as-a-Service Site LabHost

EU Elections: Pro-Russian Propaganda Exploits Meta's Failure to Moderate Political Ads

Cybersecurity Pros Urge US Congress to Help NIST Restore NVD Operation

Banning Ransomware Payments Will Do More Harm Than Good

Cybersecurity Pros Urge US Congress to Help NIST Restore NVD Operation

Palo Alto Networks Warns About Critical Zero-Day in PAN-OS

Russian Sandworm Group Using Novel Backdoor to Target Ukraine and Allies

Russia and Ukraine Top Inaugural World Cybercrime Index

FBI Warns of Massive Toll Services Smishing Scam

Is MFA Enough? Strategies for Next-Level Identity Security in 2024

Navigating the Evolving Cybersecurity Compliance Landscape in 2024

Cracking the Culture Code: Building a Cybersecurity-Aware Workforce

Beyond Passwords: Securing the Digital Age with MFA, 2FA, and Passwordless Authentication

Adapting to Tomorrow's Threat Landscape: AI's Role in Cybersecurity and Security Operations in 2024

Untangling the Web: Navigating Third-Party Risk in a Hyperconnected World

Infosecurity Magazine Spring Online Summit 2024: Day One

Infosecurity Magazine Spring Online Summit 2024: Day Two

Russia’s Midnight Blizzard Accesses Microsoft Source Code

I-Soon GitHub Leak: What Cyber Experts Learned About Chinese Cyber Espionage

LockBit Takedown: What You Need to Know about Operation Cronos

Women in Cybersecurity at Infosecurity Europe 2024

#TEISS19: Quantifying Security Posture is Key to Mitigating Risk

Written by

You may also like

What’s hot on Infosecurity Magazine?