It’s one thing to know the status of your organization’s cybersecurity defenses, and quite another to know whether they’re enough to protect your business on the virtual battlefield. You can’t prepare a real-world security posture without knowing these three things:
- Where your company stands in relation to your industry peers;
- How your defenses have improved (or not) over time; and
- Which emerging threats are rising.
In other words, context is everything.
Most organizations focus their cybersecurity reporting on tactical matters, such as how much money has been spent, how the dollars were invested, goals that have been met (or missed), and how many threats have been identified and neutralized. While those data points are meaningful to those who are on the cybersecurity front lines, additional data inputs are necessary for board members to understand the business implications of the company’s cybersecurity posture.
When you begin asking the organization you oversee to provide the kinds of benchmarking context outlined above, you may find executives are challenged to give you the answers you need to make informed decisions.
The Answers You Don’t Need
Below are two typical responses you might receive when asking how you stack up against your peers’ security practices, and why they fall short of delivering the context you need.
- We patched X number of vulnerabilities. While it is always important to know the organization is keeping patches up to date, this information alone won’t give you the full picture of where the organization stands. You need to understand if your critical assets are protected against threats that are currently in the wild—that is, being actively utilized by bad actors.
- We have everything secured in the cloud. Keeping applications patched and updated is your organization’s responsibility, not the cloud provider’s. Therefore, it’s incumbent upon directors to ensure they have access to ongoing comparative studies. Directors should ask for studies comparing the security of cloud versus traditional assets, year-to-year security progress, and compliance with regulations governing privacy and security, such as the EU General Data Protection Regulation. While receiving assurances that security measures exist in the cloud is nice, this alone tells you very little about how secure your company—and its vendors—happens to be.
The Answer You Need
“Here is our report on our security progress over the past three years. This shows how we are remediating the most dangerous vulnerabilities on our most critical assets. We’re now able to predict in advance which vulnerabilities are likely to be attacked and deploy our resources accordingly. We can track the progress different regions and business units are making in reducing their cyber exposure. Plus we have insight into how our cyber exposure compares with industry peers.”
This is the answer you seek. It gives you the detail and context you need to make informed decisions about your organization’s cybersecurity strategy.
The only way you’ll know if your security efforts and investments are paying off—or if your company has just been lucky—is to measure your progress. It’s vitally important to measure the state of your cybersecurity investment and policy by business unit, geography, and asset type. Security progress reports are best when they’re updated regularly. Your company’s cyber exposure will change over time due to a variety of factors, including mergers and acquisitions, changes in business models, and the deployment of new technologies. In other words, everything changes fast and your progress reports need to keep pace with organizational change.
Benchmarking will show you where your company stands in comparison to industry peers. If a comparative ranking with industry peers finds you in the bottom quartile, you probably need to commit more budget and resources to come up to industry standard and achieve average protections. If your company ranks in the top quartile, you likely don’t need to increase your budget or buy much. The point is, your decisions should be based on data and not a guess.
Want to learn more about understanding vulnerabilities in the context of business risk? Read the Vulnerability Intelligence Report from Tenable Research.