Cyber Defense Magazine - Annual RSA Conference 2019 - Print Edition
Cyber Defense Magazine - Electronic Version - Annual RSA Conference 2019 - Print Edition
Cyber Defense Magazine - Electronic Version - Annual RSA Conference 2019 - Print Edition
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Aligning <strong>Cyber</strong>security<br />
Effectiveness with Core<br />
Business Objectives<br />
CYBERSECURITY PROGRAMS ESTABLISH DEFINED GOALS BUT LACK<br />
MEASURABLE INDICATORS TO GAUGE EFFECTIVENESS.<br />
by Brian Contos, CISO, Verodin Inc.<br />
From an objective perspective, it is easy to<br />
become desensitized by the current state<br />
of cybersecurity. Every headline-grabbing<br />
breach plays out like a rerun of a bad sitcom.<br />
Still, recent incidents beg the question: why<br />
are even the most sophisticated and wellfunded<br />
cybersecurity programs struggling?<br />
The margin of error in cybersecurity is<br />
unprecedented. Modern IT environments<br />
are complex and unique, with intricate<br />
combinations of products, configurations, and<br />
architectures. The fact, a lot has to go right<br />
for dozens of disparate tools to work together<br />
in concert and be effective. Known and<br />
unknown changes in tools, infrastructure, and<br />
configurations introduce the risk of unintended<br />
errors and blind spots. To add to the complexity,<br />
environments are constantly shifting, so there<br />
is no guarantee that defenses working today<br />
will remain effective tomorrow.<br />
The harsh reality is that cybersecurity as we<br />
know it is fundamentally flawed. Unlike other<br />
essential business units such as finance and<br />
operations, cybersecurity is not measured with<br />
quantifiable metrics and optics predicated on<br />
evidence-based data. Instead, cybersecurity<br />
success criteria is loosely defined and<br />
principally based on assumptions. Over the<br />
years, cybersecurity infrastructures have<br />
ballooned without the instrumentation<br />
necessary to dynamically measure and manage<br />
their effectiveness. This has resulted in product<br />
redundancies, unnecessary complexity,<br />
overwhelmed analysts, and wasted dollars.<br />
Bottom line: the cybersecurity value perceived<br />
is not the value being realized.<br />
Assumption-based cybersecurity is rampant.<br />
In a recent poll from Verodin Inc., a broad<br />
audience of InfoSec professionals including red<br />
and blue teams, auditors, and executives, were<br />
asked, “How much of your security is based<br />
on assumptions instead of evidence?” Not<br />
surprisingly, a whopping 97% of responders<br />
admitted to managing by assumption to some<br />
degree.<br />
94 <strong>Cyber</strong> <strong>Defense</strong> <strong>Magazine</strong> - <strong>Annual</strong> <strong>Print</strong> <strong>Edition</strong> <strong>2019</strong>