A security dashboard is just someone’s opinion of what they think you need to know. You’ll have a much better predictor of your security if you can test against real-world threats.
It’s a fact: nobody can agree on what cybersecurity products you should have and how much you should spend. When Wendy Nather, now a Principal Security Strategist with Duo Security, was an analyst with 451 Research, she asked security professionals what products a one thousand-person company should install to make themselves more secure. She got many different answers. Some named four technologies, and some named thirty-one.
“Vendors and everybody else tends to assume that every organization is in an Olympic-sized swimming pool, the same kind. When really, they’re sailing the open seas,” said Nather.
The reality is that every organization has its own unique bugaboo of a problem, which Nather affectionately refers to as “The Kraken.”
Watch the full interview here:
VIDEO: Wendy Nather and Adrian Sanabria Interviewed at RSA 2017
So how do you know that your security spending is effective and it’s doing its job?
“We need feedback loops,” advises Adrian Sanabria, Senior Security Analyst with 451 Research in our conversation at the 2017 RSA Conference in San Francisco. “We need some way of knowing that a product is working.”
Sadly, Sanabria has noticed that you could pull the power from many of these security technologies and it may take months before anyone notices. The reason for this is that by its very nature, the barometer of a successful security technology is that “nothing has happened.”
To not fall into this trap, ensure your organization conducts regular testing and attack simulations to make sure the security technologies that you spent money on are actually working.
Even when you do install everything and think you’re doing everything by the book, it’s still not clear how secure you are, adds Nather. Determining your level of security is really just your own subjective opinion, an expert’s opinion, or the opinion of the vendor who sold you the dashboard to warn you what your level of security is.
A better way in determining your level of security, suggests Nather, is to look at the breaches that are currently happening and ask yourself, ‘What would this look like in our organization?’ and then test against that assumption.
About the Author
David Spark is a veteran tech journalist and founder of Spark Media Solutions. Since 1996, Spark and his articles have appeared in more than 40 media outlets including eWEEK, Wired News, PCWorld, ABC Radio, John C. Dvorak’s “Cranky Geeks,” KQED’s “This Week in Northern California,” and TechTV (formerly ZDTV). Spark is also the author of the book, “Three Feet from Seven Figures: One-on-One Engagement Techniques to Qualify More Leads at Trade Shows.” Today, Spark blogs regularly on the Spark Minute and is a regular contributor for Forbes. Spark is a noted speaker, entertainer, and moderator at tech and marketing events.