Congrats – you’re the new CISO…now what

If you’re a security executive new to an organization you know better than most that you often suffer from not knowing the state of your security posture and because of this you are forced to operate tactically. What’s needed is a baseline about the current state of your security posture across people, process and technology which ultimately alleviates headaches and allows you to approach security more strategically.

I know, I know, the old “people, process and technology speech” – but give me a second, because this is a new approach that actually works without software snake oil or magic appliances that are “Making the world a better place…” I couldn’t resist the Silicon Valley reference.   

Instrumentation has long been a mechanism to provide visibility. Think about driving your car or operating a nuclear power plant – gauges matter. Instrumentation has been a foundational part of IT for decades, especially in areas like networking. However, “security instrumentation” is a relatively new concept. But while the concept of security instrumentation may be somewhat new, it is quickly becoming foundational for those tasked with offensive security, defensive security and especially those like you with the awesome and terrible responsibility of security leadership.

Security instrumentation is all about understanding and measuring the state of your security at a point in time as well as using automation to preform continuous analysis to generate longer term trends. Effective security instrumentation focuses on not only your technology, but also your people and processes. More importantly, it is foundational, meaning that it is something that should be brought into your organization early in your security decision making process.

Security instrumentation can assist security executives like you by helping you understand what you’ve got that’s working, what needs to be tuned versus what needs to be replaced and aiding in the evaluation of alternatives. You might not need to buy another buzzword, you might just need to figure out a better way to get value from what you’ve got.

While continuous assessment is a major part of the value proposition of security instrumentation solutions, let’s just consider the case of you, as a new security executive, just trying to assess where your security posture is from a snapshot perspective so that you can make more informed, strategic security decisions.

You want to be able to safely execute real attacks in your production environment and see how well your network and endpoint security controls preform, your security teams respond and your security processes deliver. Think about how security instrumentation can address the following questions to help you remove assumptions and create a “baseline of knowing” that’s so important in your new security leadership role.

Analyzing the efficacy of your security technologies

• Which incident prevention security controls on my network and endpoint are preventing and reporting on malicious activity and has defensive regression broken anything?
• Which incident detection security controls on my network and endpoint are detecting and reporting on malicious activity and is my intelligence integration inadequate?
• Which security control management consoles, SIEMs and log management solutions are collecting logs and alerts?
• Here is a painful one that can really suck – of the logs and alerts being collected which ones are being triggered as a correlated rule, notable event, etc.?
• Of those rules and events which ones are making it to your security team for review and response? 

Evaluating your security team

• Does my security team have access to the right technology?
• Do they know our technology and are they well practiced (a security team that doesn’t practice incident response is like a football team that doesn’t practice football – it doesn’t end well)?
• Is my security team receiving the right incident information in the right amount of time?
• Do I have enough of the right people on my team?
• When my technology and team are operating efficiently do we have operationally effective processes to follow or are we like the poor folks from PwC at the 89 Academy Awards trying to figure out what to do when everything goes wrong?

Assessing your security processes

• Are my incident response processes working in the face of real attacks being safely executed against my production network security controls and my endpoint security controls by a security instrumentation solution?
• Do we have the right people and the right amount of people involved in the processes?
• Can we measure if our incident response effectiveness over time is trending up or down?
• Can we highlight positives and negatives related to changes in security controls?
• Can the totality of what’s been measured across people, process and technology be leveraged to share with my stakeholders such as the executive team and board?

Security instrumentation solutions allow visibility into what’s working and what’s not across your people, process and technology. As outlined, this can be done at a point in time but adds even more value when applied through automated and continuous evaluations that safely execute real attacks within your production environment.

The reporting and metrics that are made available with security instrumentation solutions are valuable to business decision makers at an executive and board level. This information will highlight trends in your security posture, identify the capital expenditures and operational expenses that are resulting in value, prioritize other investments that should be made and quantify the business risk if those investments are not made.

It’s often critical for a new CISO like you to earn your stripes in the eyes of your stakeholders. Security instrumentation solutions will help you illustrate what your team does for the organization. Security instrumentation metrics will allow your stakeholders to understand the value of the security organization from a business perspective and thus recognize it like other, measurable, critical business units. Welcome to security at a strategic level.