Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Charlotte Jupp of Panaseer removes the complexity out of understanding security posture management standards.
Early in 2023, the US National Institute of Standards and Technology (NIST) announced plans for significant changes to its Cybersecurity Framework (CSF). This is the first amendment to the CSF in five years, and it signals its biggest reform yet. Within this new iteration, NIST aims to include more guidance with CSF implementation examples, as many have called for practical direction around applying the framework.
This additional guidance will be a crucial shift. While cybersecurity frameworks are invaluable, it is notoriously hard for organizations to know exactly how they can be implemented, and how to measure what ‘good’ looks like when they do. According to NIST, “cybersecurity measurement is probably one of the hardest things that [they’ve] ever tackled,” and security professionals are repeatedly questioning, “Now that I’ve used the framework for a decade, how do I know that my cybersecurity posture is improving and the actions that I’m taking are beneficial to reduce the risk?”
However, as the industry waits for this guidance to take shape, there are various benchmarks and standards for cybersecurity controls that demonstrate what organizations should be aiming for. In fact, with the right KPIs, security teams can gain a more holistic understanding of their cyber-maturity and, in turn, can be confident they are bolstering their security posture management.
Security Posture Management: Setting the Standards
Where to Begin
The good news is that, according to Microsoft, basic cyber hygiene protects against 98 percent of attacks. Yet achieving this strong foundation of cybersecurity is no easy feat. While many invest in more tools and solutions, they struggle to ensure that each of these tools is working as it should be. In fact, Panaseer’s research found that 79 percent of enterprises have experienced cyber incidents that should have been prevented with existing safeguards.
Therefore, security teams need to set an internal standard for security control coverage. It’s important to remember that you simply don’t know what you don’t know, and these teams need to gain a more complete view across all assets. In other words, a ‘single source of truth’ with insight into the status of each control protecting each asset. By measuring coverage, security teams can understand whether their security controls are where they are expected to be, and, therefore, whether their security posture is as strong as previously believed.
An example is setting objectives around Endpoint Detection and Response (EDR) tools, to measure exactly how many devices across the organization’s IT infrastructure are covered. When starting to measure, a standard mid-sized business should aim to check that every device is communicating with the EDR tool at least once every 7 days to say it is effectively covered – the 7-day window lowers the false positive rate of reporting on devices which might be offline for 24 hours or for an employee’s vacation. For a larger, more cyber-mature organization that holds more sensitive data, they should check that every device which is seen each day on the network by any security tool is also communicating with the EDR tool on the same day.
Understanding the Human Risk
According to Verizon, 82 percent of data breaches involve a human element. It’s critical that an organization’s employees – from boardroom executives to interns – understand the cyber risk they could pose if they do not follow security best practices. And while it can be a challenge to sufficiently measure a security ‘culture’, it is essential that teams can understand and communicate the basics, such as phishing.
Security teams need to measure how many employees are receiving phishing tests to ensure they are testing the whole required workforce population, as well as determining how many are successfully identifying and reporting phishing tests. Again, the benchmark will depend on the maturity of the organization – for those with fewer resources for cybersecurity, a quarterly assessment should suffice, but a more cyber-mature enterprise should deploy monthly phishing tests. In terms of what ‘good’ looks like, mid-size organizations should expect to see employees reporting at least one test in that time, while larger enterprises can aim for employees reporting above 20 percent.
However, mistakes will always be made. Security teams need to consider compound risk, e.g., are there employees within the organization that have not reported phishing tests, that also have access to sensitive files they may not need, or that do not employ best practices when re-setting passwords? Knowing these details and taking action to change it could be the difference between a minor network exploit and a major data breach. It’s therefore crucial that alongside setting standards for phishing awareness training and results, organizations also benchmark expectations around how often employees are logging in, how secure their devices are, how often they change their passwords, and how quickly IT teams disable the accounts of terminated employees.
Final Thoughts on Security Posture Management
Setting, measuring, and evolving security metrics around security control coverage, phishing tests, access management, and more is almost impossible without advanced automation. For organizations to truly understand whether their security posture is improving, manually monitoring the efficiency of their tools and the capabilities of their workforce are far too laborious and time-consuming for security teams that are likely already under-resourced and overworked.
As security teams await further guidance from NIST, it’s crucial these professionals know what to measure and can understand exactly what ‘good’ looks like, starting first and foremost with achieving foundational cyber hygiene, addressing the human risk, and relying on automation to make managing and improving security posture a much simpler process.
- Setting Standards for Security Posture Management - May 5, 2023