Security Success is Found When Continuously Measuring the Right Things, Across Your Ecosystem

Security monitoring and measuring needs to be expanded to trusted third parties; here’s why.

When it comes to securing sensitive data from attack, there’s certainly no lack of evidence that current tactics are falling short. This is despite the considerable investment that enterprises have made to secure their systems and data. According to the research firm Gartner, worldwide security software spending reached $19.2 billion in 2012, an increase of 7.9 percent from the prior year. There’s no sign of that spending slowing any time soon.

Regardless of these efforts, the outcome has been less desirable. This is evidenced in the stubbornly consistent poor quality of software security, new forms of ever more successful malware, advanced attack exploits, and countless data breaches. And there’s also a quiet, yet massive, amount of intellectual property theft underway — to the sum of $300 billion annually according to the Commission on the Theft of American Intellectual Property.

The brilliant physicist Albert Einstein is often quoted as saying that the definition of insanity is doing the same thing over and over again and expecting different results. By that definition, many aspects of IT security are nothing short of insane.

So what should risk management and security professionals change?

For starters, we do know that many organizations simply aren’t looking for the right breach indicators on their systems. According to the Verizon 2013 Data Breach Investigations Report, for instance, most compromises are underway for weeks and months before they are detected. And in about 70 percent of the cases, the enterprise doesn’t become aware of its own compromise through its own efforts — rather a partner or a third party actually notifies it that there is a problem. Not good.

We know that organizations are struggling with all of these issues on the systems they run and manage. When taking into account the uncertainty that enterprises accept when connecting systems with third parties, it becomes apparent how much risk is actually being taken on through the extended business of partners, suppliers, and in some cases even customers.

It’s also a serious miscalculation to think such third party risks can be properly mitigated through questionnaires, contracts, and Service Level Agreements (SLAs). The fact is that IT risks simply change too rapidly to be adequately managed this way. Malware, changing IT infrastructures, software vulnerabilities, and new advanced attack techniques move too swiftly for static and annual third-party reviews, and SLAs, annual penetration tests, and quarterly vulnerability assessments are all too slow or reactive to measurably reduce risk for any meaningful period.

More and more enterprises understand this need for continuous measurement, particularly when it comes to internal risks. That’s why many organizations are moving toward continuous security monitoring to both find and extinguish threats more readily. The government too now understands the importance of on-going measurement. Consider the Federal Information Security Management Act (FISMA), and its move from static to continuous monitoring, and how this move is improving security outcomes for federal agencies.

But why stop at internal systems? It’s certainly true to say that no enterprise is an IT island — so it only makes sense to continuously monitor and measure the security posture of third parties and look for real-world indicators of compromise there, as well.

This way, just as more and more organizations are doing with internal systems, as soon as there’s evidence of a compromise such as suspicious outbound communications or malware activity, mitigating measures can be taken immediately.

If the definition of insanity is in fact doing the same thing over and over again while expecting different results, it’s about time enterprises take a significant step toward sanity and start looking at ways to mitigate the very real risks they face from their extended enterprise.