Execs value security visibility as hard, soft metrics increasingly gauge compliance

CSOs and non-technical executives are warming to better visibility of key security metrics through aggregation platforms that track and present organisational security posture and compliance position in a more intuitive way, according to one security vendor.

“Security is evolving to be at the same level as a CRM or ERP system,” Ron Gula, CEO of Tenable Network Security, told CSO Australia. “Nobody would ever accept lead flow analysis or financial statements done once a quarter; they want to do it on a daily or real-time basis. And security needs to be done in the same way.”

Delivering on this goal, however, has proven to be rather more complicated than in those other systems – not the least because security log and event information tends to live across a broad range of systems in a variety of formats. This is part of the reason why many CSOs are already resource-stretched, with recent figures suggesting they were handling an average of 1.5 security incidents every week.

Reconciling the data, combining it in meaningful ways and presenting it for real-time analysis has become a focus for Tenable, which in the release of its latest SecurityCenter Continuous View platform has focused on providing consistent views of security posture that extend across network and cloud log data.

Analysis of that data allows the platform to group key metrics into five key 'cyber controls': system management, vulnerability management, user management, running a secure network and detecting malware.

These scores can then be applied against best-practice models to gauge compliance with PCI credit-card, NIST cybersecurity, Australian Signals Directorate or other IT-security models in the platform's Assurance Report Cards.

“Organisations don't tend to think about critical cyber controls,” Gula said. “They tend to think about it in terms of critical problems such as malware or vulnerabilities.”

“But assurance is very different than just buying a box and plugging it into your network; It's much more about knowing what you have and what you have to spend. By providing the analytics to sift through that and provide meaning at a high level, you can react to it in real time.”

Better visibility of compliance against security standards is set to become increasingly important in verticals such as government, after the federal government's Digital Transformation Office (DTO) recently released guidelines mandating government agencies comply with all 36 security controls outlined in the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM).

Such compliance relates to a broad range of metrics, and collating them all in one place provides visibility that Gula says often provides eye-opening assessments of deficient practices in areas like vulnerability patching and security compliance of cloud-based applications.

“Many people that deploy this realise they don't have a vulnerability patching problem,” he explains. “They may have an asset management problem, or a secure network design problem. When you look at it from the high-level point of view, you can really change behaviour at the executive level.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.