{"id":4485,"date":"2023-05-05T15:14:34","date_gmt":"2023-05-05T19:14:34","guid":{"rendered":"https:\/\/solutionsreview.com\/security-information-event-management\/?p=4485"},"modified":"2023-05-05T15:57:16","modified_gmt":"2023-05-05T19:57:16","slug":"setting-standards-for-security-posture-management","status":"publish","type":"post","link":"https:\/\/solutionsreview.com\/security-information-event-management\/setting-standards-for-security-posture-management\/","title":{"rendered":"Setting Standards for Security Posture Management"},"content":{"rendered":"<p style=\"text-align: justify;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4486\" src=\"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2023\/05\/Setting-Standards-for-Security-Posture-Management.jpg\" alt=\"\" width=\"800\" height=\"400\" srcset=\"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2023\/05\/Setting-Standards-for-Security-Posture-Management.jpg 800w, https:\/\/solutionsreview.com\/security-information-event-management\/files\/2023\/05\/Setting-Standards-for-Security-Posture-Management-300x150.jpg 300w, https:\/\/solutionsreview.com\/security-information-event-management\/files\/2023\/05\/Setting-Standards-for-Security-Posture-Management-768x384.jpg 768w, https:\/\/solutionsreview.com\/security-information-event-management\/files\/2023\/05\/Setting-Standards-for-Security-Posture-Management-540x270.jpg 540w, https:\/\/solutionsreview.com\/security-information-event-management\/files\/2023\/05\/Setting-Standards-for-Security-Posture-Management-162x81.jpg 162w, https:\/\/solutionsreview.com\/security-information-event-management\/files\/2023\/05\/Setting-Standards-for-Security-Posture-Management-360x180.jpg 360w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/p>\n<p style=\"text-align: justify;\"><em><b>Solutions Review\u2019s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Charlotte Jupp of <a href=\"https:\/\/panaseer.com\/\" target=\"_blank\" rel=\"noopener\">Panaseer<\/a> removes the complexity out of understanding security posture management standards.<\/b><\/em><\/p>\n<p style=\"text-align: justify;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-4304\" src=\"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2023\/01\/Expert-100x100-1.png\" alt=\"Expert Insights badge\" width=\"105\" height=\"105\" srcset=\"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2023\/01\/Expert-100x100-1.png 105w, https:\/\/solutionsreview.com\/security-information-event-management\/files\/2023\/01\/Expert-100x100-1-81x81.png 81w\" sizes=\"(max-width: 105px) 100vw, 105px\" \/>Early in 2023, the US National Institute of Standards and Technology (NIST) announced plans for significant changes to its Cybersecurity Framework (CSF). This is the first amendment to the CSF in five years, and it signals its biggest reform yet. Within this new iteration, NIST aims to include more guidance with CSF implementation examples, as many have called for practical direction around applying the framework.<\/p>\n<p style=\"text-align: justify;\">This additional guidance will be a crucial shift. While cybersecurity frameworks are invaluable, it is notoriously hard for organizations to know exactly how they can be implemented, and how to measure what \u2018good\u2019 looks like when they do.\u00a0According to NIST, \u201ccybersecurity measurement is probably one of the hardest things that [they\u2019ve] ever tackled,\u201d and security professionals are repeatedly questioning, \u201cNow that I&#8217;ve used the framework for a decade, how do I know that my cybersecurity posture is improving and the actions that I&#8217;m taking are beneficial to reduce the risk?&#8221;<\/p>\n<p style=\"text-align: justify;\">However, as the industry waits for this guidance to take shape, there are various benchmarks and standards for cybersecurity controls that demonstrate what organizations should be aiming for. In fact, with the right KPIs, security teams can gain a more holistic understanding of their cyber-maturity and, in turn, can be confident they are bolstering their security posture management.<\/p>\n<p style=\"text-align: justify;\"><br \/>Widget not in any sidebars<br \/><\/p>\n<h2 style=\"text-align: justify;\"><strong>Security Posture Management: Setting the Standards<\/strong><\/h2>\n<hr \/>\n<h3 style=\"text-align: justify;\"><strong>Where to Begin<\/strong><\/h3>\n<p style=\"text-align: justify;\">The good news is that, according to Microsoft, basic cyber hygiene protects against 98 percent of attacks. Yet achieving this strong foundation of cybersecurity is no easy feat. While many invest in more tools and solutions, they struggle to ensure that each of these tools is working as it should be<em>. <\/em>In fact, Panaseer\u2019s research found that 79 percent of enterprises have experienced cyber incidents that should have been prevented with existing safeguards.<\/p>\n<p style=\"text-align: justify;\">Therefore, security teams need to set an internal standard for security control coverage. It\u2019s important to remember that you simply don\u2019t know what you don\u2019t know, and these teams need to gain a more complete view across all assets. In other words, a \u2018single source of truth\u2019 with insight into the status of each control protecting each asset. By measuring coverage, security teams can understand whether their security controls are where they are expected to be, and, therefore, whether their security posture is as strong as previously believed.<\/p>\n<p style=\"text-align: justify;\">An example is setting objectives around Endpoint Detection and Response (EDR) tools, to measure exactly how many devices across the organization\u2019s IT infrastructure are covered. When starting to measure, a standard mid-sized business should aim to check that every device is communicating with the EDR tool at least once every 7 days to say it is effectively covered \u2013 the 7-day window lowers the false positive rate of reporting on devices which might be offline for 24 hours or for an employee\u2019s vacation. For a larger, more cyber-mature organization that holds more sensitive data, they should check that every device which is seen each day on the network by any security tool is also communicating with the EDR tool on the same day.<\/p>\n<h3 style=\"text-align: justify;\"><strong>Understanding the Human Risk<\/strong><\/h3>\n<p style=\"text-align: justify;\">According to Verizon, 82 percent of data breaches involve a human element. It\u2019s critical that an organization\u2019s employees \u2013 from boardroom executives to interns \u2013 understand the cyber risk they could pose if they do not follow security best practices. And while it can be a challenge to sufficiently measure a security \u2018culture\u2019, it is essential that teams can understand and communicate the basics, such as phishing.<\/p>\n<p style=\"text-align: justify;\">Security teams need to measure how many employees are receiving phishing tests to ensure they are testing the whole required workforce population, as well as determining how many are successfully identifying and reporting phishing tests. Again, the benchmark will depend on the maturity of the organization \u2013 for those with fewer resources for cybersecurity, a quarterly assessment should suffice, but a more cyber-mature enterprise should deploy monthly phishing tests. In terms of what \u2018good\u2019 looks like, mid-size organizations should expect to see employees reporting at least one test in that time, while larger enterprises can aim for employees reporting above 20 percent.<\/p>\n<p style=\"text-align: justify;\">However, mistakes will always be made. Security teams need to consider compound risk, e.g., are there employees within the organization that have not reported phishing tests, that also have access to sensitive files they may not need, or that do not employ best practices when re-setting passwords? Knowing these details and taking action to change it could be the difference between a minor network exploit and a major data breach. It\u2019s therefore crucial that alongside setting standards for phishing awareness training and results, organizations also benchmark expectations around how often employees are logging in, how secure their devices are, how often they change their passwords, and how quickly IT teams disable the accounts of terminated employees.<\/p>\n<h3 style=\"text-align: justify;\"><strong>Final Thoughts on Security Posture Management<\/strong><\/h3>\n<p style=\"text-align: justify;\">Setting, measuring, and evolving security metrics around security control coverage, phishing tests, access management, and more is almost impossible without advanced automation. For organizations to truly understand whether their security posture is improving, manually monitoring the efficiency of their tools and the capabilities of their workforce are far too laborious and time-consuming for security teams that are likely already under-resourced and overworked.<\/p>\n<p style=\"text-align: justify;\">As security teams await further guidance from NIST, it\u2019s crucial these professionals know what to measure and can understand exactly what \u2018good\u2019 looks like, starting first and foremost with achieving foundational cyber hygiene, addressing the human risk, and relying on automation to make managing and improving security posture a much simpler process.<\/p>\n<p style=\"text-align: justify;\"><br \/>Widget not in any sidebars<br \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Solutions Review\u2019s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Charlotte Jupp of Panaseer removes the complexity out of understanding security posture management standards. Early in 2023, the US National Institute of Standards and Technology (NIST) announced plans for significant changes to its Cybersecurity Framework (CSF). [&hellip;]<\/p>\n","protected":false},"author":646,"featured_media":4486,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[551,1],"tags":[],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Setting Standards for Security Posture Management<\/title>\n<meta name=\"description\" content=\"Charlotte Jupp of Panaseer removes the complexity out of understanding security posture management standards.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/solutionsreview.com\/security-information-event-management\/setting-standards-for-security-posture-management\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Setting Standards for Security Posture Management\" \/>\n<meta property=\"og:description\" content=\"Charlotte Jupp of Panaseer removes the complexity out of understanding security posture management standards.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/solutionsreview.com\/security-information-event-management\/setting-standards-for-security-posture-management\/\" \/>\n<meta property=\"og:site_name\" content=\"Best Information Security SIEM Tools, Software, Solutions &amp; Vendors\" \/>\n<meta property=\"article:published_time\" content=\"2023-05-05T19:14:34+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-05T19:57:16+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2023\/05\/Setting-Standards-for-Security-Posture-Management.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"800\" \/>\n\t<meta property=\"og:image:height\" content=\"400\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Charlotte Jupp\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Charlotte Jupp\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/solutionsreview.com\/security-information-event-management\/setting-standards-for-security-posture-management\/\",\"url\":\"https:\/\/solutionsreview.com\/security-information-event-management\/setting-standards-for-security-posture-management\/\",\"name\":\"Setting Standards for Security Posture Management\",\"isPartOf\":{\"@id\":\"https:\/\/solutionsreview.com\/security-information-event-management\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/solutionsreview.com\/security-information-event-management\/setting-standards-for-security-posture-management\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/solutionsreview.com\/security-information-event-management\/setting-standards-for-security-posture-management\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2023\/05\/Setting-Standards-for-Security-Posture-Management.jpg\",\"datePublished\":\"2023-05-05T19:14:34+00:00\",\"dateModified\":\"2023-05-05T19:57:16+00:00\",\"author\":{\"@id\":\"https:\/\/solutionsreview.com\/security-information-event-management\/#\/schema\/person\/3feafded9c33eb3e22d55657a8b30c41\"},\"description\":\"Charlotte Jupp of Panaseer removes the complexity out of understanding security posture management standards.\",\"breadcrumb\":{\"@id\":\"https:\/\/solutionsreview.com\/security-information-event-management\/setting-standards-for-security-posture-management\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/solutionsreview.com\/security-information-event-management\/setting-standards-for-security-posture-management\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/solutionsreview.com\/security-information-event-management\/setting-standards-for-security-posture-management\/#primaryimage\",\"url\":\"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2023\/05\/Setting-Standards-for-Security-Posture-Management.jpg\",\"contentUrl\":\"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2023\/05\/Setting-Standards-for-Security-Posture-Management.jpg\",\"width\":800,\"height\":400,\"caption\":\"security posture management\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/solutionsreview.com\/security-information-event-management\/setting-standards-for-security-posture-management\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/solutionsreview.com\/security-information-event-management\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Setting Standards for Security Posture Management\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/solutionsreview.com\/security-information-event-management\/#website\",\"url\":\"https:\/\/solutionsreview.com\/security-information-event-management\/\",\"name\":\"Best Information Security SIEM Tools, Software, Solutions &amp; Vendors\",\"description\":\"Buyer&#039;s Guide and Best Practices\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/solutionsreview.com\/security-information-event-management\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/solutionsreview.com\/security-information-event-management\/#\/schema\/person\/3feafded9c33eb3e22d55657a8b30c41\",\"name\":\"Charlotte Jupp\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/solutionsreview.com\/security-information-event-management\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c8a13ff820710abcc9b3021cabe69bbc?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c8a13ff820710abcc9b3021cabe69bbc?s=96&d=mm&r=g\",\"caption\":\"Charlotte Jupp\"},\"description\":\"Charlotte is the Head of Panaseer\u2019s Security Performance Management division, responsible for ensuring customers' improvements to their security posture through guidance on measurement and process best practices. She has been part of the team for seven years and has developed a number of cybersecurity papers detailing what to measure and what \u2018good\u2019 looks like for the status of security controls. Prior to Panaseer, Charlotte worked to build analytical models and technical products to detect financial crime at BAE Systems. She also studied at the University of Oxford, where achieved a Doctorate in Mathematical Biology in 2010.\",\"url\":\"https:\/\/solutionsreview.com\/security-information-event-management\/author\/cjupp\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Setting Standards for Security Posture Management","description":"Charlotte Jupp of Panaseer removes the complexity out of understanding security posture management standards.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/solutionsreview.com\/security-information-event-management\/setting-standards-for-security-posture-management\/","og_locale":"en_US","og_type":"article","og_title":"Setting Standards for Security Posture Management","og_description":"Charlotte Jupp of Panaseer removes the complexity out of understanding security posture management standards.","og_url":"https:\/\/solutionsreview.com\/security-information-event-management\/setting-standards-for-security-posture-management\/","og_site_name":"Best Information Security SIEM Tools, Software, Solutions &amp; Vendors","article_published_time":"2023-05-05T19:14:34+00:00","article_modified_time":"2023-05-05T19:57:16+00:00","og_image":[{"width":800,"height":400,"url":"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2023\/05\/Setting-Standards-for-Security-Posture-Management.jpg","type":"image\/jpeg"}],"author":"Charlotte Jupp","twitter_misc":{"Written by":"Charlotte Jupp","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/solutionsreview.com\/security-information-event-management\/setting-standards-for-security-posture-management\/","url":"https:\/\/solutionsreview.com\/security-information-event-management\/setting-standards-for-security-posture-management\/","name":"Setting Standards for Security Posture Management","isPartOf":{"@id":"https:\/\/solutionsreview.com\/security-information-event-management\/#website"},"primaryImageOfPage":{"@id":"https:\/\/solutionsreview.com\/security-information-event-management\/setting-standards-for-security-posture-management\/#primaryimage"},"image":{"@id":"https:\/\/solutionsreview.com\/security-information-event-management\/setting-standards-for-security-posture-management\/#primaryimage"},"thumbnailUrl":"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2023\/05\/Setting-Standards-for-Security-Posture-Management.jpg","datePublished":"2023-05-05T19:14:34+00:00","dateModified":"2023-05-05T19:57:16+00:00","author":{"@id":"https:\/\/solutionsreview.com\/security-information-event-management\/#\/schema\/person\/3feafded9c33eb3e22d55657a8b30c41"},"description":"Charlotte Jupp of Panaseer removes the complexity out of understanding security posture management standards.","breadcrumb":{"@id":"https:\/\/solutionsreview.com\/security-information-event-management\/setting-standards-for-security-posture-management\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/solutionsreview.com\/security-information-event-management\/setting-standards-for-security-posture-management\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/solutionsreview.com\/security-information-event-management\/setting-standards-for-security-posture-management\/#primaryimage","url":"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2023\/05\/Setting-Standards-for-Security-Posture-Management.jpg","contentUrl":"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2023\/05\/Setting-Standards-for-Security-Posture-Management.jpg","width":800,"height":400,"caption":"security posture management"},{"@type":"BreadcrumbList","@id":"https:\/\/solutionsreview.com\/security-information-event-management\/setting-standards-for-security-posture-management\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/solutionsreview.com\/security-information-event-management\/"},{"@type":"ListItem","position":2,"name":"Setting Standards for Security Posture Management"}]},{"@type":"WebSite","@id":"https:\/\/solutionsreview.com\/security-information-event-management\/#website","url":"https:\/\/solutionsreview.com\/security-information-event-management\/","name":"Best Information Security SIEM Tools, Software, Solutions &amp; Vendors","description":"Buyer&#039;s Guide and Best Practices","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/solutionsreview.com\/security-information-event-management\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/solutionsreview.com\/security-information-event-management\/#\/schema\/person\/3feafded9c33eb3e22d55657a8b30c41","name":"Charlotte Jupp","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/solutionsreview.com\/security-information-event-management\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/c8a13ff820710abcc9b3021cabe69bbc?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c8a13ff820710abcc9b3021cabe69bbc?s=96&d=mm&r=g","caption":"Charlotte Jupp"},"description":"Charlotte is the Head of Panaseer\u2019s Security Performance Management division, responsible for ensuring customers' improvements to their security posture through guidance on measurement and process best practices. She has been part of the team for seven years and has developed a number of cybersecurity papers detailing what to measure and what \u2018good\u2019 looks like for the status of security controls. Prior to Panaseer, Charlotte worked to build analytical models and technical products to detect financial crime at BAE Systems. She also studied at the University of Oxford, where achieved a Doctorate in Mathematical Biology in 2010.","url":"https:\/\/solutionsreview.com\/security-information-event-management\/author\/cjupp\/"}]}},"_links":{"self":[{"href":"https:\/\/solutionsreview.com\/security-information-event-management\/wp-json\/wp\/v2\/posts\/4485"}],"collection":[{"href":"https:\/\/solutionsreview.com\/security-information-event-management\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/solutionsreview.com\/security-information-event-management\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/solutionsreview.com\/security-information-event-management\/wp-json\/wp\/v2\/users\/646"}],"replies":[{"embeddable":true,"href":"https:\/\/solutionsreview.com\/security-information-event-management\/wp-json\/wp\/v2\/comments?post=4485"}],"version-history":[{"count":0,"href":"https:\/\/solutionsreview.com\/security-information-event-management\/wp-json\/wp\/v2\/posts\/4485\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/solutionsreview.com\/security-information-event-management\/wp-json\/wp\/v2\/media\/4486"}],"wp:attachment":[{"href":"https:\/\/solutionsreview.com\/security-information-event-management\/wp-json\/wp\/v2\/media?parent=4485"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/solutionsreview.com\/security-information-event-management\/wp-json\/wp\/v2\/categories?post=4485"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/solutionsreview.com\/security-information-event-management\/wp-json\/wp\/v2\/tags?post=4485"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}