In this post, we get insights from Chris Strand, Security and Risk Compliance Officer at Carbon Black. He will present “Measuring Security and Compliance: A Proactive Approach to PCI Scorecarding” at the European Community Meeting in Edinburgh.
What are you seeing in the current threat landscape?
Chris Strand: There are a number of confluences that I am seeing in the current threat landscape. Variants of attacks are becoming more resilient, using different channels to infiltrate traditional security defenses, and taking advantage of the many threat distractions that are inundating businesses. There is also a renewed focus of preying on systems that are aging, unsupported, geographically distributed, or lacking the proper security controls that can provide sufficient visibility over the security posture against common risk frameworks. The current threat landscape seems to be taking advantage of some businesses’ inability to understand their risk maturity or posture properly. With the increased complexity of threats that are present within the current threat landscape, I am seeing that many organizations are struggling to apply any type of measurable analytics or frameworks that can help discover the true gaps within their security posture. I see a need within the current environment for more collaborative intelligence and a shift towards a collective approach using shared or united threat metrics and data to accelerate to a stronger security posture across the community.
What are some consequences of weak security and compliance postures?
Chris Strand: First and foremost the failure of being able to detect a security incident in a timely fashion. Security and compliance postures work hand in hand to provide a way to measure the strength of one’s security controls. One also relies on the other when assessing the validity and functionality of security controls. If the compliance posture is week or in some cases not even applied or enforced, it is impossible to tell if security controls are actually doing what they are in place to do. A firm compliance posture that is properly enforced will ensure that security gaps are attended to proactively, as well as validate that security controls are audited frequently, providing the best protection against current or evolving threats.
What is a cybersecurity scorecard?
Chris Strand: A cyber security scorecard is a simplified amalgamation of security information aligned to security policy in order to measure the true nature of security controls that are in place to protect one’s IT ecosystem. It is a way to help individuals at all levels of the organization get a sense of the cyber security posture at any given time. The scorecard utilizes one of many security frameworks that are designed within different industry segments and tailored to help measure security concerns relevant to those segments or verticals. Once established, a regulatory policy is utilized to apply focus and enforcement measure to the security controls that the framework calls for, which in turn reduces risk and empowers stakeholders across the organization with reports as well as point in time status of security posture that is relevant to them.
What are some reasons organizations should consider a cybersecurity scorecard?
Chris Strand: In the wake of recent threats, the increased liability of security regulatory policies, and the need to simplify actionable threat intelligence, organizations should consider aligning their security metrics into a scorecard that can give them a proactive view of their security posture. A cybersecurity scorecard can help improve security posture, improve awareness of cybersecurity policy across the business, empower security investment decisions, accelerate compliance enforcement, enable proactivity in dealing with threats, and lastly, reduce corporate liability.
What are you most looking forward to at this year’s community meeting?
Chris Strand: I’m most looking forward to meeting with the many participating organizations and discussing their approach to risk measure and security policy, as well as the combine solutions they have put in place to help them understand the risk their security controls. That discovery will involve learning more about the top threats and variants that organizations in our community are seeing and validating the recent trends we are realizing in the PCI and merchant environment. Particularly and more importantly, I’m looking forward to discovering how organizations are using the PCI DSS to help apply scrutiny to audit common baseline security controls that enable their systems to become resilient to the threats that are targeting our market.
Learn more about the European Community Meeting here: