The Case for Security Instrumentation: Understanding and Measuring Cyber Risk

Written by

Cyber risk is now top of mind for C-level executives and the boards given the huge financial liability companies face when a breach occurs. Unfortunately, the financial impact of a potential cyber-attack still isn’t considered and measured like other systemic threats such as competitive pressures or product performance issues – mainly due to a lack of understanding of how to make such calculations.

At the same time, cyber-attacks are on the rise – and while millions of dollars are being invested by enterprises in security solutions, the number of breaches keeps increasing. 

In truth, cyber risk is now about much more than safeguarding a company’s assets. It’s about corporate brand risk, operational risk, and financial risk. Gartner recently reported that CEOs are increasingly being blamed and fired as a result of cybersecurity-related events, more so than IT executives. The research states that CIOs concerned with IT risk need to help CEOs better understand security effectiveness and risk, and achieve greater defensibility with key stakeholders.  

The situation that exists in corporations today is a growing gap between expectations around cybersecurity effectiveness and the reality of what is actually happening – opening companies up to tremendous risk by not addressing vulnerabilities that exist in their security infrastructure.

Continuing to throw more dollars at more security solutions, without a baseline understanding of what’s working and what’s not, will not give companies more protection. So what can CIOs do to better understand and address these gaps? How can they can better arm the C-suite with actionable insights about security effectiveness?

Ask the right questions
Security teams used to only have to worry about bits and bytes to determine the best security solutions to use. Today it’s about using cyber to enable the business and make it more effective across business units like sales, marketing, HR and finance – based on true quantitative measurements, not ‘squishy’ assumption-based metrics. Questions CIOs and security teams should be asking – and asking frequently – include:

  1. Are my tools working?
  2. Are my long-term and short-term processes effective? 
  3. Are my people effective?
  4. Is what I’m doing providing real value juxtaposed to investing somewhere else?

Conduct the right tests – and automate them
Audits and penetration tests only provide a one-time snapshot of security controls – what’s working and what’s not – but don’t provide the evidence needed to demonstrate what is working longer term. Additionally, these types of security tests stop short of enabling security teams to perform real, value-added tasks: find a hole, prescriptively fix the hole, validate that the fix is successful and automate the process of continued validation to make sure it stays fixed in perpetuity. In other words, fix it right and keep it fixed.

Instrumentation is a way to automate the entire process on an ongoing basis – measuring security effectiveness across prevention, detection, and response, as well as managing and improving security effectiveness through prescriptive results. Once you have made the required changes you can re-evaluate systems to make sure they’re working the way they’re supposed to.

When you have confidence that your systems are optimized and operating as intended, you can automatically monitor for environmental drift to ensure that what's working stays working – particularly as new components are added or business systems change, which can impact configuration and performance.

Optimize and rationalize your security stack 
A key question to understand when considering any security solution is, am I evaluating the right products to enable the business? For example, when it comes to business operations, you only create processes, build apps, or hire people if doing these things will improve effectiveness.

For years, security has gotten a pass because there haven’t been the right tools to actually measure it, but with instrumentation tools, we now have solutions that can determine how security components both enable and improve business.

Report actionable information to the executive team
Today’s security teams are being held to a much higher standard, and are being called to the carpet by the audit committee, the C-suite and the board. Key stakeholders want assurance that the security controls that are in place are doing what they’re supposed to.

Instrumentation platforms provide the kind of evidence-based, actionable reporting that business executives need in order to have peace of mind that the security infrastructure is being continually monitored and optimized to fully protect the brand, operations, and financial position.

Waiting until after an attack takes place to measure, monitor and improve your security systems – taking action while looking in the rear view mirror – puts your organization and its brand at tremendous risk.

Once a breach occurs, the damage is done and the fall-out will be long-lasting. Today’s security instrumentation tools are designed to help CIOs get maximum value out of their security investments and ensure that the company is taking the necessary steps to protect its assets from breach or attack. This is not only good security practice; it’s good business practice.

What’s hot on Infosecurity Magazine?