Over the past three weeks, I’ve had the pleasure of talking about some pretty serious cyber issues with leaders from SoftBank Japan, the U.S. Navy, the Japan Ministry of Defense and Target. I can’t tell you how much fun it was talking with these folks, who are all hiring managers.
I spoke with SoftBank’s leader of internet of things (IoT) and security about how to measure the company’s ability to secure and handle IoT devices. They are working on how to secure IoT devices for not only the company, but also for its customers. His primary concern was making sure that he had solid data sets that allowed him to reach the right conclusions.
When I pressed him about what “right conclusions” meant, he said that IoT devices create a significant attack surface and that he needed to find ways to measure his company’s success or lack of success in managing this surface.
With the U.S. Navy, folks in San Diego were very concerned about their ability to reliably determine if existing security controls were properly placed. We discussed the need for solid red team/pen testing tactics to help security analysts identify specific indicators of compromise. The Navy, like any other public or private entity, purchases a lot of software, but with that, it faces two unknowns:
- Are their security controls properly placed and used?
- Have they really stopped or contained attacks?
Japan’s Ministry of Defense, the center of the country’s military force, and the people I spoke with there, had a different concern. They want to trace social engineering attacks to vulnerabilities in the organization. It’s important to them to upskill their teams so they can quickly identify attacks and vulnerabilities. But, it’s also important for them to find real ways to measure their success.
Identifying Useful Cybersecurity Metrics
While I was talking with Tim Crothers over at Target, I realized that everyone is interested in one major thing: finding useful metrics.
No, I’m not talking about the metric system, which has found success most everywhere but in the United States. I’m talking about measurements: How today’s companies are very interested in actually proving if their preventative, detective and responsive controls are worth the time and money they’ve spent.
Each of these leaders was a hiring manager, so as a result, they also want to know if the people they have hired have the right skills. The above-mentioned organizations, as well as companies such as SecureWorks, IBM and Dell, are also very interested in identifying useful metrics.
I found this somewhat gratifying because last year I started formalizing input about the importance of measuring progress to cybersecurity goals. Last September, I wrote about the cybersecurity metrics matrix, and recently, the CompTIA research department released some very interesting information about how cybersecurity leaders need more useful metrics.
Learn More at RSA 2019
At RSA in San Francisco next week, Tim Crothers and I are going to be talking about how to get some real metrics. We’re calling the two-hour lab Breaking Out of the Cybersecurity Matrix. It should be a good time.
I’ll also be presenting a Birds of a Feather session about pen testing, called Why Pen Testing Sucks Right Now, and How You Can Fix It.
When I’m not presenting, I’ll be spending a lot of time at CompTIA’s booth (#3206 on the South Expo Floor) with my co-workers Jen Blackwell, Patrick Lane and Stephen Schneiter. We have a full agenda of presentations, not to mention demonstrations of CompTIA CertMaster, discount codes, and, of course, swag
So, drop on by and we can talk about some of the other ways I’ve heard of companies starting to measure their security more efficiently.
Learn more about CompTIA at RSA 2019.