Using Security Metrics To Drive Action FOREWORD Today’s cybersecurity challenges are more complex than ever before. Technologies like Development Containers, Cloud, BYOD, and BYOA have greatly complicated the security team’s ability to understand all of the potential IT attack surface. And while you may have the budget dollars to invest in new cyber technologies, the size and workload of your security team is a key gating issue. The core foundation of a successful cybersecurity program requires that you understand all of the IT assets operating against your environment, both inside and outside of your network, identify and remediate vulnerabilities, and continuously assess and measure risk. Although organizations are investing more of their IT budget on cybersecurity technologies, high-impact breaches continue to make headlines. As a result, senior business executives and board members are asking security teams tough questions about the effectiveness of their security controls—and how they are measuring, getting control of, and reporting on cyber risk. At Tenable, we partnered with the team at Mighty Guides to ask senior security industry leaders the following questions: “Your CEO calls and asks, ‘How exposed are we, and how secure is our organization?’ What strategies and metrics do you use to answer?” We compiled their responses into this e-book–giving you useful insights from your peers on how they answer these tough questions–so that you can be prepared when asked yourself. While every organization is different and has its own unique challenges and constraints, CISOs must deliver answers that are metrics driven, benchmarked to industry best practices and standards, defensible and approximate reality. We hope you find this e-book useful in helping you develop and communicate security metrics in your own organization. And in follow-on parts of this series, we will share with you additional market research that we know you will find compelling and useful when communicating the effectiveness of your cybersecurity program to your C-suite and Boards. About Tenable Tenable transforms security technology for the business needs of tomorrow through comprehensive solutions that provide continuous visibility and critical context, enabling decisive actions to protect your organization. Tenable eliminates blind spots, prioritizes threats, and reduces exposure and loss. With more than one million users and more than 20,000 enterprise customers worldwide, organizations trust Tenable for proven security innovation. Tenable’s customers range from Fortune Global 500 companies, to the U.S. Department of Defense, to mid-sized and small businesses in all sectors, including finance, government, healthcare, higher education, retail and energy. Transform security with Tenable, the creators of Nessus and leaders in continuous monitoring. For more information, please visit tenable.com. Amit Yoran Chairman and Chief Executive Officer Sponsored by: 3 INTRODUCTION As the challenge of securing digital assets grows, the challenge of quantifying an organization’s security posture is also growing. This is due in part to the added layers of protection needed to secure IT infrastructures that have no perimeter, and the sheer quantities of data generated by new security technologies. It is further complicated, especially for global companies, by regional differences in security practices, standards, and regulatory environments. In order to better understand how security organizations operating in Europe and the Middle East use metrics to describe their security posture, we decided to ask them. With Tenable’s generous support, we posed this question to a number of security experts: Your CEO calls you in and asks ‘Just how secure are we?’ What strategies and metrics would you use to answer that question? For this e-book we spoke to a global audience, including people from Germany, France, the Middle East, and the UK. In these regions, security practices and regulatory environments are very mature. Yet politics often plays a role in which security frameworks can be used in certain countries. For example, a French company with global operations may use a US standard framework in its European operations, but it must adopt a different framework for its Middle East operations. Also, the risk landscape can vary considerably from one region to another, not only because of the nature of potential threats, but because of the varying costs of regulatory noncompliance. Any business with operations in EMEA will find value in the perspectives of these EMEA-based security experts. Mighty Guides make you stronger. These authoritative and diverse guides provide a full view of a topic. They help you explore, compare, and contrast a variety of viewpoints so that you can determine what will work best for you. Reading a Mighty Guide is kind of like having your own team of experts. Each heartfelt and sincere piece of advice in this guide sits right next to the contributor’s name, biography, and links so that you can learn more about their work. This background information gives you the proper context for each expert’s independent perspective. Credible advice from top experts helps you make strong decisions. Strong decisions make you mighty. All the best, David Rogelberg Publisher © 2017 Mighty Guides, Inc. I 62 Nassau Drive I Great Neck, NY 11021 I 516-360-2622 I www.mightyguides.com Sponsored by: 4 Please complete the form to gain access to this content Access Now Related Resources Vulnerability Intelligence Report Cyber Defender Strategies: What Your Vulnerability Assessment Practices Reveal Quantifying the Attacker's First-Mover Advantage Cyber Exposure for Dummies eBook_Mighty Guide_Reducing Cyber Exposure from Cloud to Containers Tenable & IDG Whitepaper_Building a Secure Foundation to Reduce Cyber Risk Thirteen Essential Steps to Meeting the Security Challenges of the New EU General Data Protection Regulation 3 REASONS: Why DevOps is a Game-Changer for Security Reducing Cyber Exposure from cloud to containers ECONOMIC, OPERATIONAL & STRATEGIC BENEFITS OF SECURITY FRAMEWORK ADOPTION Five Steps to Building a Successful Vulnerability Management Program 2017 Trends in Security Metrics and Security Assurance Measurement
FOREWORD Today’s cybersecurity challenges are more complex than ever before. Technologies like Development Containers, Cloud, BYOD, and BYOA have greatly complicated the security team’s ability to understand all of the potential IT attack surface. And while you may have the budget dollars to invest in new cyber technologies, the size and workload of your security team is a key gating issue. The core foundation of a successful cybersecurity program requires that you understand all of the IT assets operating against your environment, both inside and outside of your network, identify and remediate vulnerabilities, and continuously assess and measure risk. Although organizations are investing more of their IT budget on cybersecurity technologies, high-impact breaches continue to make headlines. As a result, senior business executives and board members are asking security teams tough questions about the effectiveness of their security controls—and how they are measuring, getting control of, and reporting on cyber risk. At Tenable, we partnered with the team at Mighty Guides to ask senior security industry leaders the following questions: “Your CEO calls and asks, ‘How exposed are we, and how secure is our organization?’ What strategies and metrics do you use to answer?” We compiled their responses into this e-book–giving you useful insights from your peers on how they answer these tough questions–so that you can be prepared when asked yourself. While every organization is different and has its own unique challenges and constraints, CISOs must deliver answers that are metrics driven, benchmarked to industry best practices and standards, defensible and approximate reality. We hope you find this e-book useful in helping you develop and communicate security metrics in your own organization. And in follow-on parts of this series, we will share with you additional market research that we know you will find compelling and useful when communicating the effectiveness of your cybersecurity program to your C-suite and Boards. About Tenable Tenable transforms security technology for the business needs of tomorrow through comprehensive solutions that provide continuous visibility and critical context, enabling decisive actions to protect your organization. Tenable eliminates blind spots, prioritizes threats, and reduces exposure and loss. With more than one million users and more than 20,000 enterprise customers worldwide, organizations trust Tenable for proven security innovation. Tenable’s customers range from Fortune Global 500 companies, to the U.S. Department of Defense, to mid-sized and small businesses in all sectors, including finance, government, healthcare, higher education, retail and energy. Transform security with Tenable, the creators of Nessus and leaders in continuous monitoring. For more information, please visit tenable.com. Amit Yoran Chairman and Chief Executive Officer Sponsored by: 3 INTRODUCTION As the challenge of securing digital assets grows, the challenge of quantifying an organization’s security posture is also growing. This is due in part to the added layers of protection needed to secure IT infrastructures that have no perimeter, and the sheer quantities of data generated by new security technologies. It is further complicated, especially for global companies, by regional differences in security practices, standards, and regulatory environments. In order to better understand how security organizations operating in Europe and the Middle East use metrics to describe their security posture, we decided to ask them. With Tenable’s generous support, we posed this question to a number of security experts: Your CEO calls you in and asks ‘Just how secure are we?’ What strategies and metrics would you use to answer that question? For this e-book we spoke to a global audience, including people from Germany, France, the Middle East, and the UK. In these regions, security practices and regulatory environments are very mature. Yet politics often plays a role in which security frameworks can be used in certain countries. For example, a French company with global operations may use a US standard framework in its European operations, but it must adopt a different framework for its Middle East operations. Also, the risk landscape can vary considerably from one region to another, not only because of the nature of potential threats, but because of the varying costs of regulatory noncompliance. Any business with operations in EMEA will find value in the perspectives of these EMEA-based security experts. Mighty Guides make you stronger. These authoritative and diverse guides provide a full view of a topic. They help you explore, compare, and contrast a variety of viewpoints so that you can determine what will work best for you. Reading a Mighty Guide is kind of like having your own team of experts. Each heartfelt and sincere piece of advice in this guide sits right next to the contributor’s name, biography, and links so that you can learn more about their work. This background information gives you the proper context for each expert’s independent perspective. Credible advice from top experts helps you make strong decisions. Strong decisions make you mighty. All the best, David Rogelberg Publisher © 2017 Mighty Guides, Inc. I 62 Nassau Drive I Great Neck, NY 11021 I 516-360-2622 I www.mightyguides.com Sponsored by: 4
