As homo-sapiens we are naturally competitive creatures. Although evolutionally this has helped our species in numerous ways, there are a few times where it bites us right in our highly evolved butts…
When we perform network vulnerability assessments and network penetration tests, the one thing we’re most frequently asked is: “How does our security posture compare to other businesses you’ve tested?”
I think comparing one’s business to others is usually just a way to feel better about one’s security program, rather than understanding how to improve it. It’s like that joke about not having to outrun the bear… just the person running next to you. If your neighbors leave their doors unlocked, is that a smart standard to gauge your security against?
“The way to feel good about your security posture is to verifiably improve it”
For example, we often discuss the comparative strength of a client’s security posture in relation to Common Vulnerability Scoring System (CVSS) scores. This system scores vulnerabilities on a 0-to-10 scale. You could have a decent average score across your vulnerabilities, but still have several severe critical vulnerabilities in the mix.
So you might think you’re doing “comparatively” OK… but it only takes one critical vulnerability to sink your ship. This is why we encourage clients to use the data we give them to prioritize remediation of their vulnerabilities, not to compare themselves to industry peers.
Comparisons or benchmarks may be helpful in securing funding for an information security program, or to help convince customers, regulators or other stakeholders that your security is acceptable. But it’s a slippery slope to think that being “more secure” or “as secure” as other companies actually means your data is safe.
The way to feel good about your security posture is to verifiably improve it—especially be remediating your most critical vulnerabilities. Otherwise you might develop a false sense of security that could leave you exposed.
To find out how secure you really are, and how best to improve your security posture in line with business goals, contact Pivot Point Security.