Government agencies often focus on the threats that affect their cyber systems — and for good reason. But what evidence do they have to prove the value of their security investments?
Answering that question requires moving the conversation beyond addressing threats to considering — and measuring — whether cybersecurity tools are effective, said retired Air Force Maj. Gen. Earl Matthews, currently Vice President of Strategy at Mandiant Security Validation, a cybersecurity risk assessment platform.
If agencies can accurately measure their security effectiveness, they can achieve significant gains: reduced risk, organizational alignment and increased security value.
1. Reduced Risk
One of the main challenges agencies face is determining their cyber strategy focus. With so much to defend against, it can be difficult to find a starting point. For Matthews, it starts with understanding your threat profile.
“A well-developed cyberthreat profile provides extremely relevant and valuable input from a strategic, operational and tactical nature,” he said.
Strategically, it helps answer questions such as why a certain threat targets an agency. Operationally, it helps answer how an agency should hunt for the threat in its environment. Tactically, it helps prioritize which vulnerabilities the agency should patch first or which alerts to emphasize.
2. Organizational Alignment
Leaders at every level can benefit from measuring security accurately and being better aligned on cyber issues.
Operationally, agencies are prone to take a vendor’s product, put it in and turn it on without understanding how they should modify it for their organization. It’s vital for operations personnel to effectively understand and measure cybersecurity so they can properly adapt products to meet their risk framework.
“The reality of how their security controls work is not matching what they think is happening in the environment. And that is why it’s absolutely key to know the efficacy of their control to have data to measure and explain that,” Matthews said.
For executives, it’s also difficult to find answers to high-level, business-focused questions around cybersecurity without metrics.
“I was asked this during my role as the Air Force CISO: ‘Hey Earl, we’re spending a lot of money on cybersecurity. How do we know if we’re getting better or worse?’”
Today, with security validation metrics and automation, Matthews could answer that question.
3. More Value
With the capability to measure cyber effectiveness, agencies can actualize more value out of their security tools.
One agency, for example, discovered that its recently deployed firewalls only had a 24% utilization rate. Let’s say the firewall was $100,000. That meant it was only getting $24,000 of value. Over a three-day period, the security validation platform was able to drive that up to 74%, putting the agency’s money to better use and increasing its security boundary.
“The best defense today requires having near real-time visibility into your security tools and the assurance that those tools are performing according to your organization’s risk needs, not just the way the vendor promised,” Matthews said.
This article is an excerpt from GovLoop’s recent guide, “Resilience Lessons From State & Local Government.” Download the full guide here.