Despite being a high priority, many organizations still approach security hygiene and posture management in a haphazard manner, leaving themselves vulnerable to cyber attacks. Before implementing security measures such as acceptable use policies, security awareness training, and various security technologies, organizations must first fully understand the assets they possess, who owns them, how they are used, and whether they are securely configured.
Various standards bodies and security best practices, such as the NIST-800 series, CIS Critical Security Controls, and ISO 27001, as well as security regulations like HIPAA, PCI DSS, and FISMA, all emphasize the importance of strong and continuous security hygiene and posture management.
To put it into context, security hygiene and posture management can be compared to locking and maintaining the integrity of all the doors and windows in a house to protect it from intruders. However, imagine living in a European castle with numerous family members and hundreds or thousands of doors and windows. Each staff member is responsible for locking and maintaining a subset of these doors and windows, making it challenging to monitor and verify that everything is secure.
Recent research conducted by TechTarget’s Enterprise Strategy Group sheds light on the complexities of security hygiene and posture management:
1. 73% of security professionals rely on spreadsheets for their organization’s security hygiene and posture management. This approach requires significant time and effort to gather, normalize, deduplicate, and ensure the data’s integrity. However, it only provides a static asset inventory that becomes less accurate over time. Even with accurate data, IT and security teams must analyze it, prioritize actions, and track risk mitigation.
2. 73% of security professionals claim that their organizations have strong awareness of approximately 80% of their total assets. However, this still leaves 20% of assets unmanaged, poorly managed, or completely unknown. The lack of knowledge about these assets can pose a significant risk.
3. 68% of security professionals find it difficult to determine the highest priority risk mitigation actions. With more asset, configuration, and vulnerability data, organizations face an analytics bottleneck. It becomes challenging to identify the most critical issues that require immediate attention. This is why many security technologies now incorporate machine learning, attack path mapping, and risk scoring.
4. 56% of security professionals struggle to identify which assets are business-critical. While it may seem obvious to identify systems that generate revenue, it is not always straightforward. Business-critical systems may be interconnected with third-party websites, include production data in development and test systems, or rely on single application services used by multiple customer-facing applications. Cloud-native applications and DevOps further complicate the issue.
5. 50% of security professionals find it challenging to keep up with security hygiene and posture management due to the growth and frequent changes in their attack surface. As organizations establish more third-party IT connections, rely on a larger remote workforce, adopt public cloud services, and embark on digital transformation initiatives, their attack surface expands. With more assets, the difficulty of managing security hygiene and posture increases accordingly.
CISOs recognize these challenges and take steps to address them at scale:
1. 92% of organizations are interested in exploring emerging technologies for security hygiene and posture management. These technologies include attack surface management, security asset management, and risk-based vulnerability management. These tools provide visibility into blind spots, aggregate and analyze siloed data, and offer risk-based guidance on prioritizing issues.
2. 83% of organizations prioritize security hygiene and posture management mostly or exclusively for business-critical assets. While focusing on crown jewel security is essential, it is ineffective when assets are constantly changing and interconnected. A more comprehensive approach to security hygiene and posture management is necessary.
3. 81% of organizations use the Mitre ATT&CK framework to identify security hygiene and posture management priorities. This framework provides a map of adversary tactics, techniques, and procedures, allowing security teams to focus on the most likely targets based on industry, region, and historical attack patterns. In combination with penetration testing and red teaming, organizations can validate their security defenses.
Despite advancements in cybersecurity over the past two decades, organizations still struggle to address fundamental questions about security hygiene and posture management. The scale of the problem has increased exponentially, leaving organizations vulnerable to potential cyber attacks. Without establishing a baseline for security hygiene and posture management, cybersecurity protection becomes a game of chance.
It is crucial for organizations to prioritize security hygiene and posture management, leveraging emerging technologies and frameworks to gain visibility, prioritize actions, and mitigate risks. Only by taking a comprehensive and proactive approach can organizations effectively protect themselves from cyber threats in today’s complex and interconnected digital landscape.