November 26, 2018
November 26, 2018
It’s one thing to know the status of your organization’s cybersecurity defenses, and quite another to know whether they’re enough to protect your business on the virtual battlefield. You can’t prepare a real-world security posture without knowing these three things:
In other words, context is everything.
Most organizations focus their cybersecurity reporting on tactical matters, such as how much money has been spent, how the dollars were invested, goals that have been met (or missed), and how many threats have been identified and neutralized. While those data points are meaningful to those who are on the cybersecurity front lines, additional data inputs are necessary for board members to understand the business implications of the company’s cybersecurity posture.
When you begin asking the organization you oversee to provide the kinds of benchmarking context outlined above, you may find executives are challenged to give you the answers you need to make informed decisions.
The Answers You Don’t Need
Below are two typical responses you might receive when asking how you stack up against your peers’ security practices, and why they fall short of delivering the context you need.
The Answer You Need
“Here is our report on our security progress over the past three years. This shows how we are remediating the most dangerous vulnerabilities on our most critical assets. We’re now able to predict in advance which vulnerabilities are likely to be attacked and deploy our resources accordingly. We can track the progress different regions and business units are making in reducing their cyber exposure. Plus we have insight into how our cyber exposure compares with industry peers.”
This is the answer you seek. It gives you the detail and context you need to make informed decisions about your organization’s cybersecurity strategy.
The only way you’ll know if your security efforts and investments are paying off—or if your company has just been lucky—is to measure your progress. It’s vitally important to measure the state of your cybersecurity investment and policy by business unit, geography, and asset type. Security progress reports are best when they’re updated regularly. Your company’s cyber exposure will change over time due to a variety of factors, including mergers and acquisitions, changes in business models, and the deployment of new technologies. In other words, everything changes fast and your progress reports need to keep pace with organizational change.
Benchmarking will show you where your company stands in comparison to industry peers. If a comparative ranking with industry peers finds you in the bottom quartile, you probably need to commit more budget and resources to come up to industry standard and achieve average protections. If your company ranks in the top quartile, you likely don’t need to increase your budget or buy much. The point is, your decisions should be based on data and not a guess.
Want to learn more about understanding vulnerabilities in the context of business risk? Read the Vulnerability Intelligence Report from Tenable Research.