Security leaders are constantly facing questions surrounding how “good” their organization’s security is, or where its security posture stands. Naturally, the performance of their security solutions comes into play, especially when the business likely allocates a considerable budget towards the bells and whistles that are intended to ward off cyber threats.
But given the market is saturated with solutions that claim to do it all for security professionals, how easy is it to report the performance of that technology to upstream management, and how accurate could that possibly be? That’s a loaded question that doesn’t necessarily have one answer given the many variables at play.
One thing’s for sure, this is a topic security leaders are frequently asked to address by the business.
“The reality is, every product has weaknesses,” says Vik Phatak, CEO of NSS Labs. “Understanding empirically with data where those gaps are, so you can understand what approach you can take, [helps you understand] if it’s better to add another security layer, patch certain applications, or to move away from certain applications altogether.”
According to Phatak, it’s critical to understand the security products you have, no matter the amount. This allows security practitioners to now only calculate what the time to detect a threat is, but also remediate said threat.
“One of the bigger challenges, when you start talking about data and metrics and really taking a scientific approach to understanding what the variables are, is [understanding] what’s under your control and what’s not under your control,” says Phatak. “[That helps provide] context so you can make the right proactive decisions to have the biggest impact.”
Recently, InfoSec Insider caught up with Phatak who discussed what the state of measuring security performance is today, what approach practitioners should be taking, and what the common mistake is that security pros make when it comes to purchasing security solutions.