In the modern threat landscape, being an effective security leader takes real perceptiveness and vision.
For one thing, keeping up with new cyber security threats is a fundamentally unfair game. New attack techniques emerge every day and, collectively, can only be combated with a diverse (and expensive to implement and maintain) array of security controls. As soon as one threat is addressed, ten others pop up in its place.
Then there’s the commercial reality of cyber security to deal with. No business stakeholder wants their organization to be on the receiving end of a data breach, but it’s hard to have a positive attitude about a spiraling security budget with no tangible ROI, either.
Thankfully, there’s a way security leaders can gain insight into emerging threats and stay on top of their security investments, and it’s through security testing, or security validation.
Security testing isn’t a new idea - all CISOs should be familiar with techniques such as vulnerability scanning and pen testing, and how they help uncover weaknesses that could potentially be used by hackers. However, by adopting a more threat-centric mindset when it comes to testing their security controls (and picking the right tools for the job), they can make more effective decisions, empower their teams to be agile, and communicate to the business where to focus their investment.
Security testing in a nutshell
Firstly, a quick primer. Security validation refers to the tools, techniques and processes that organizations use to test the effectiveness of their security controls - that is, whether or not they would stand up and do their job when faced with a real-world cyber attack.
Again, security testing isn’t a new idea. CISOs have plenty of well-established techniques at their disposal to check whether their firewalls, antivirus and antimalware tools, application security and internal security policies would fend off a cyber attack in practice. They include vulnerability scanning tools, pen testing and - at the most resource-intensive end of the spectrum - red team testing.
However, while most of the techniques themselves have been around for a while, the most visionary security leaders now realize that security validation is about more than just basic vulnerability management or running occasional red team exercises. Instead, it’s a way to get real-time, top-down visibility on whether your security controls are ready to protect your business from the threats you really face - and, if not, what your next strategic investment should be.
The market has started to call this “threat-centric” validation, and it’s already led to the emergence of new frameworks such as MITRE ATT&CK and new solution categories such as breach and attack simulation (BAS).
3 reasons security testing is important
To fully understand why security testing is becoming more and more important, it’s worth noting a few things about the current cyber security landscape and the challenges that presents for security leaders, security teams and the business as a whole.
1. New threats are emerging faster than security teams can keep up
It’s self-explanatory, but the rate at which new threats emerge is growing exponentially, and every business needs some way of spotting gaps in their defenses based on real-time and practicable intelligence.
According to the Accenture Third Annual State of Cyber Resilience report, more than two-thirds (69%) of security stakeholders say it’s a “constant battle” to stay ahead of attackers, and the cost of doing so is “unsustainable”.
In other words, security teams don’t have the time or resources to patch over every hole in their defenses continually. An effective threat-centric security validation program will help them tackle the issue more pragmatically, getting a better understanding of which threats should be prioritized and which can be dealt with later.
2. Without a threat-centric mindset, security overspending is inevitable
Believe it or not, a spiraling security budget can be avoided, too. One alarming finding of a survey we carried out at Picus was that, on average, preventative security technologies have a utilization rate of less than 50%.
We can assume, then, that one of the reasons security stakeholders consider the cost of keeping up to be “unsustainable” is that they continually invest in the wrong areas, and don’t have the resources at hand to get more out of their existing investments.
Again, an effective security validation program should provide CISOs with real insight into the cost versus risk of all security investments, enabling better budgeting and, in turn, a better relationship with the CFO.
3. Effective security leadership means effective communication and buy-in from business stakeholders
Finally, by making the connection between real-world threats and their potential victims within the business, threat-centric security testing enables CISOs to communicate their agenda to other stakeholders more effectively.
Bridging the gap between business and security has been a long-standing challenge for most security leaders. Even when it’s incontestable that a cyber attack or data breach could be catastrophic for the business, getting buy-in for new security investments is still too often a matter of blind faith in subjective advice. An effective security validation program will deliver objective evidence that business stakeholders can easily understand and accept.
Want to find out more about the requirements for threat-centric security testing and the role of new solutions such as BAS? Download our whitepaper, Breach and Attack Simulation: A Novel Cybersecurity Validation Approach.