Understanding the security activity portfolio

There are a lot of different ways to approach security and risk management. If you are a large organization, you may be able to afford to try lots of various security tools and activities, to see what works for you; but if you’re a smaller entity, or your risk management program must face the realities of budget and resource constraints, you need to put more thought towards where you invest.

I strongly believe the security industry must continually look for ways to improve the standard accepted approaches to risk management, for better efficacy towards making security defense cost-effective and driving ubiquity across the digital world. I’m excited to see how security visionaries are rethinking classic security concepts such as penetration testing, and what new advantages that can bring to the table. And I truly do mean rethinking for better effect, not just marketing gimmicks or finding a benign way to add machine learning to the mix for the sake of marketing “me too” ML-era advantages.

Through conversations with some associates at Cobalt.io, I became motivated to look deeper at how crowd-sourced security approaches (bug bounties, penetration-testing, etc.) are faring. After all, these new approaches have now been around long enough to produce execution metrics/track record to juxtapose against the mainstay security activities. Have they graduated to find a permanent place in the security activities portfolio? Are they proving cost-effective for the results they are bringing? Are they bringing results that can be had better or cheaper via a more classic means?

With support from Cobalt.io, I decided to document a holistic perspective towards all the different security activities many organizations typically leverage, using BSIMM results and other industry reports as evidence of where organizations are generally investing. My intention was to look at the benefits and shortcomings of various security activities (hopefully objectively, but I’ll admit potential mild bias from my own experience these last ~20 years). More importantly though, I wanted to be realistic on where activities assumed or required cybersecurity skills or experience to get the maximum benefit – really looking deeper at how various activities are influenced by the shortage of seasoned security professionals. In all of my consulting engagements, I’ve challenged organizations to be pragmatic about staffing strategies to incubate new security professionals from scratch; it’s critical to understand all the various security activity particulars, to know how to best direct a nascent security team.

You can download the whitepaper for free from Cobalt.io (free registration required). And I always love feedback – be sure to drop me a note if you find the material helpful for navigating your security program options!

Tags: risk management, industry analysis