Digital transformation initiatives and the adoption of cloud, mobile, and remote work models have eviscerated the traditional security perimeter. Enterprise assets are distributed across the cloud, endpoints, mobile, and personally owned devices and expanded the attack surface in the process. Organizations are increasingly vulnerable to attack via unknown and unmanaged Internet-facing assets.
These factors are driving the need for organizations to bolster visibility of all of the assets in their digital ecosystem. CISOs are increasingly calling for their teams to not just continually monitor externally observable cyber risks such as misconfigurations, vulnerabilities, unpatched systems, open ports, and third-party exposures through which threat actors can launch attacks. They're also seeking ways to contextualize these voluminous exposures with other quantifiable risk factors like geographical risk, business criticality of systems observed, and physical safety risks from OT/ICS systems.
Fundamentally, the push toward this kind of visibility through exposure management is all about prioritizing risk management activities. But the real-time views also provide a valuable governance measuring stick. When leveraged well, exposure management can also become a boon for security benchmarking—both internally and against industry peers.
Benchmarking Basics
With cybercriminals constantly scanning for and exploiting publicly exposed systems and misconfigurations it has become imperative for infosec teams to have the same visibility over their external facing IT estate that attackers have. Without understanding the extent of external exposure organizations, it is no longer possible for organizations to accurately quantify and manage cyber risks.
Such quantification also gives infosec teams a way to measure security posture improvements over time and to identify gaps and areas for improvement. It allows security decision makers to compare their organization's security posture against industry peers and provide empirical evidence of the need for investments in areas where they might be lagging behind others.
Peer benchmarking is one way to demonstrate due diligence to standard security practices especially for organizations covered by industry regulations such as the PCI data security standard. Cyber insurers too often use benchmarking for making policy pricing decisions and risk evaluations.
Cyber exposure visibility and management are essential for organizations to understand and proactively manage their cyber risks, says Mike Eisenberg, vice president of strategy, privacy and risk at Coalfire. It provides a real-time view of vulnerabilities and threats, thereby allowing organizations to proactively prioritize risks and enhance resilience.
"While traditional asset visibility focuses on asset identification, exposure management delves deeper into the potential impact of threats," Eisenberg says. "Comparing an organization's security posture with industry peers, even when benchmark data is challenging to obtain, provides valuable insights."
Benchmarking gives a CISO a way to strategically present to executive leadership and the board the organization's cybersecurity position and areas for further growth.
The Value of Security Benchmarking
It highlights areas of strength and weakness relative to industry standards and prevalent vulnerabilities and offers a gauge of an organization's security maturity. Metrics like time to detect and respond to vulnerabilities, percentage of patched assets, frequency of security assessments and unresolved high-risk exposures can all be useful from a comparative analysis standpoint, Eisenberg says.
Cyber exposure management provides organizations with a view of their cybersecurity posture that is benchmarkable against peers, says Stephen Boyer, CEO of Bitsight.
"It's critical because you could say, 'Hey, we're doing really well,' but compared to what?" he says. "If your peers are all 20% higher than you with roughly the same budget spend, what's going on?"
Exposure visibility management can help put more context around whether the issue has to do with the need for more cybersecurity investment, or if it's a people, training or infrastructure issue. Boyer says. Benchmarking can help guide investment and understanding of performance.
"That's how almost all business is done anyway, some sort of benchmark peer comparison," he says.
Boyer says different leaders will seek to benchmark against peers in different ways, depending on the priorities set by CISOs and the board. Sometimes companies will seek general industry benchmarks, other times they may try to gain views into specific competitors or 'aspirational' benchmarks against firms with strong security investments in place. And then there's other board considerations.
" A board member may sit on three other boards who are in different industries, but they want to benchmark against those companies," he says.
John Bambenek, former principal threat hunter at Netenrich and now an independent consultant says many cyber insurance companies are doing this very analysis in calculating premiums, as are companies that are measuring third-party risk.
As organizations have adopted more of a cloud-first posture, the pathways to sensitive data have only increased. A breach can result from, simple things like a developer copying production data into unprotected S3 buckets, or from secrets stored in Github repositories, and infrastructure being deployed in the cloud that an organization is completely unaware of, he says.
"In business there is always a desire to show return on investment in objective, quantifiable terms," Bambenek says. "Security can’t do that with revenue so we need other measurements and peer scoring is a good tool."
Benchmarking helps justify budget to the board and leadership. It can shift the conversation from “give me money, please” to “this is what due care looks like” in ways those who understand risk and liability can understand, he says.
As with everything security related, context is key when using quantifiable risk exposure metrics to do peer comparisons. Such benchmarking can be useful in helping enable a better understanding of cyber risk and to assess the success—or not--of attempts to mitigate those risks. But benchmarking needs to be part of a holistic security strategy and not its sole driver.
Eli Nussbaum, managing director at infrastructure and cybersecurity services provider Conversant Group cautions against allowing peer benchmarking to lead to a sense of false security. An organization's readiness to protect against security risk ultimately is a function of its security policies, people, processes, and products working in an orchestrated fashion. Organizations must evaluate their risk and readiness against the current threat landscape and not let benchmarking guide their security efforts, he says.
"[A] CISO's responsibilities are not limited to being just faster than the slowest buffalo in the herd," Nussbaum says. "To think otherwise implies that the threat actors are performing a similar peer group evaluation and only attacking the most vulnerable – or the slowest buffaloes," he says.