Execs value security visibility as hard, soft metrics increasingly gauge compliance

CSOs and non-technical executives are warming to better visibility of key security metrics through aggregation platforms that track and present organisational security posture and compliance position in a more intuitive way, according to one security vendor.

“Security is evolving to be at the same level as a CRM or ERP system,” Ron Gula, CEO of Tenable Network Security, told CSO Australia. “Nobody would ever accept lead flow analysis or financial statements done once a quarter; they want to do it on a daily or real-time basis. And security needs to be done in the same way.”

Delivering on this goal, however, has proven to be rather more complicated than in those other systems – not the least because security log and event information tends to live across a broad range of systems in a variety of formats. This is part of the reason why many CSOs are already resource-stretched, with recent figures suggesting they were handling an average of 1.5 security incidents every week.

Reconciling the data, combining it in meaningful ways and presenting it for real-time analysis has become a focus for Tenable, which in the release of its latest SecurityCenter Continuous View platform has focused on providing consistent views of security posture that extend across network and cloud log data.

Analysis of that data allows the platform to group key metrics into five key 'cyber controls': system management, vulnerability management, user management, running a secure network and detecting malware.

These scores can then be applied against best-practice models to gauge compliance with PCI credit-card, NIST cybersecurity, Australian Signals Directorate or other IT-security models in the platform's Assurance Report Cards.

“Organisations don't tend to think about critical cyber controls,” Gula said. “They tend to think about it in terms of critical problems such as malware or vulnerabilities.”

“But assurance is very different than just buying a box and plugging it into your network; It's much more about knowing what you have and what you have to spend. By providing the analytics to sift through that and provide meaning at a high level, you can react to it in real time.”

Better visibility of compliance against security standards is set to become increasingly important in verticals such as government, after the federal government's Digital Transformation Office (DTO) recently released guidelines mandating government agencies comply with all 36 security controls outlined in the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM).

Such compliance relates to a broad range of metrics, and collating them all in one place provides visibility that Gula says often provides eye-opening assessments of deficient practices in areas like vulnerability patching and security compliance of cloud-based applications.

“Many people that deploy this realise they don't have a vulnerability patching problem,” he explains. “They may have an asset management problem, or a secure network design problem. When you look at it from the high-level point of view, you can really change behaviour at the executive level.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags security visibilitycybersecuritySecurityCenterCSOsTenableProtective Security Policy Framework (PSPF)crmnon-technical executives

More about AssuranceCSOEnex TestLabISMTenableTenable Network Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts