“The security discussion starts with risk, but what has become very apparent at the board level is that most don’t really understand what’s in front of them.”
These were the words of Ali Neil, director international security, Verizon, speaking at The European Information Security Summit 2019 in London. Neil said that quantifying security posture is key to mitigating risk, and “we need a means of measurement” for proving that value to business leaders.
Neil presented a ‘360º Risk Visibility’ assessment of the security industry that highlighted the following:
- In 70% of attacks where we know the motive for the attack there is a secondary victim
- Traditional risk evaluation is often done through point in time engagements
- Supply chain audit is increasingly burdensome, diverse in method and costly
- Security programs must be programs of continuous improvement and their budgets and efficacy validated
- Risk evaluation in M&A activity is an increasing factor and workload
- Strategic, operational and tactical intelligence needs to be decoupled and provided to the right business user
- Organizations and service providers need a dynamic tool to measure the efficacy of their security strategy
He therefore suggested a framework of what is needed in order to do an effective risk measurement of where an organization sits in the market.
The first step of that framework is rating: using data from public sources on the internet, where external risk vectors are identified and evaluated to provide a risk rating.
The second is an external risk view, contextualized: external risk vectors data is augmented with the DBIR's three pattern data and dark web analytics for an enhanced external rating.
Third is an internal view from endpoint and infrastructure: a refined security posture rating through an internal scan for malware, unwanted programs and dual usage tools within your endpoints and infrastructure.
The fourth step is a culture and process view: an in-depth, onsite assessment of the security culture, processes, policies and governance within an organization.
Lastly is a security posture rating: an aggregated rating across all levels providing a 360º view of a company’s cyber-risk posture.