Continuous monitoring on its own is great for the detection and remediation of security events that may lead to breaches. But when it comes to allowing us to measure and compare the effectiveness of our security programs, there are many ways that simply monitoring falls short. Most significantly, it does not allow us to answer the question of whether not we are more or less secure than we were yesterday, last week or last year.
This is a question that we all have grappled with in the security community, and more recently, in the board room. No matter how many new tools you install, settings you adjust, or events you remediate, there are few ways to objectively determine your security posture and that of your vendors and third parties. How do you know if the changes and decisions you have made have positively impacted your security posture if there is no way to measure your effectiveness over time?
In recent years, solutions have emerged in the market which bring to light new potential from continuous monitoring and enable organizations to not only identify and remediate security issues, but also answer questions about security performance and effectiveness. Through the analysis of historical data, performance rating solutions allow organizations to quickly and objectively compare their effectiveness over time as well as to their industry and peers. The ratings are generated through the continuous collection of security data, including events, user behaviors and configurations, and updated on a daily basis. Higher ratings indicate better security performance, and users receive alerts when ratings change significantly. The ease with which these ratings can be accessed means organizations can leverage performance ratings in a number of ways that go far beyond threat detection.
For example, using ratings in vendor selection can help organizations choose and negotiate with secure partners from the beginning of business relationships. They have access to information that can show how performance over time has varied, as well as if there have been prior security incidents or breaches worthy of further investigation. Using ratings for vendor management encourages all parties to be proactive and transparent in their security practices, thus helping to improve overall performance.
There are other third party transactions where continuous security performance ratings can help, such as in underwriting and negotiating cyber insurance premiums as well as making strategic M&A decisions. Performance ratings provide context that is lacking from other assessment methods, as ratings are based on evidence of security outcomes and the criteria for both assessment and rating is congruent between networks.
However, the value in this metric isn’t simply in providing a number; the value is in its potential to become a standard that organizations can objectively benchmark themselves and their third parties against. Many organizations have their own methodologies to assess security risk, relying on auditors, compliance certificates, questionnaires and multiple frameworks for qualitatively, and in some ways quantitatively, measuring their risk. But if we’re all using different frameworks and methodologies, the ability to compare and contrast is lost, and objectivity comes into question. The lack of a standard in this area has lead to ambiguity when it comes to defining what “good security performance” actually looks like.
Of late, legislators and regulators have been pushing organizations to show that they are monitoring security risks across the business ecosystem and taking responsibility for the performance of their vendors as well. There has also been additional pressure placed on board members and executives to demonstrate awareness and oversight of security performance at all times.
HIPAA, PCI and OCC guidelines have all added language around vendor selection and management, requiring more frequent assessments and in some cases, naming liability if a vendor falls out of compliance. One thing these updates don’t include is specific guidelines for how and what to assess in network security ecosystems. This means it is up to the individual to interpret guidance, which may result in inconsistent (and often biased) assessments.
If regulators and lawmakers want to simplify risk management, they could make great strides by adopting and enforcing a set of measurement standards that could span industries and bring transparency to security practices in all organizations. To overcome the lack of awareness and bias in security performance assessments, continuous performance monitoring provides a significant advantage because it is outcome based rather than control based. Because of this, continuous assessment methodologies can answer the age old questions of how am I doing compared to my industry and my peers? Am I safer now than I was before?