Security Performance Management: how to improve customer security posture
September 24, 2021
For this blog, I caught up with Charlotte Jupp, one of our longest serving ‘seers, to talk about her new role as Head of Security Performance Management – a new function dedicated to improving customers’ security posture.
Charlotte will be leading this new company division, focusing on helping customers advance their security programme with guidance, best practices and actionable recommendations.
Guidance and best practices for security measurement
Organisations are looking for security measurement guidance – metrics best practices to evaluate the effectiveness and maturity of their security programme, and mitigate their overall cyber exposure.
‘We want to be showing them the way’, says Charlotte. ‘We are supplying and sharing our learnings in security measurement and Continuous Controls Monitoring (CCM). They’re looking for guidance in what to measure, how they should measure it, what to remediate, what to prioritise, and therefore how they should reduce their risk. We can bring them that guidance.’
In discussions with our customers, advisors, industry leaders, security metrics experts, and frameworks organisations, often led by Charlotte herself, we have built security measurement expertise and learnings to share with our customers to their benefit.
Charlotte sees the Security Performance Management (SPM) team working in several ways. SPMs will be ‘setting the customer up for success in using Panaseer to measure their security programme – making sure they’re informed and educated on the ways the platform is used, and how best they can learn from and use that’. A big part is about integrating CCM into the ecosystem, embedding in their security processes, aligning with their existing technology (GRC, SIEM, CMDB etc), and defining their Target Operating Model.
‘Which stakeholders should use the platform outside of security? And how should they use it? What processes should we integrate with that they already have in their organisation to help them really embed the technology?’
The SPMs will provide targeted assistance to individual customers, based on learnings from previous experiences and peer recommendations, while adjusting based on their type of company, industry, size and, crucially, business requirements.
We have a variety of customers with diverse levels of security maturity – from large global organisations with tens of thousands of employees and large security teams to smaller organisations where security pros have to spread their time across multiple different skillsets. Smaller organisations are often looking for one kind of guidance, while the larger organisations will need help to embed the technology in a complex environment.
SPMs will partner with customers to ensure all their questions are answered.
‘We will help customers to answer the security questions they have, understand their pain points and challenges, and provide solutions. But we will also provide additional value by answering questions that weren’t at the forefront of the customer’s mind, but that have been very useful to other customers.’
SPMs will guide our customers as they mature their security measurement and CCM programmes across various control areas, stakeholders, integrations and processes. The new SPM function goes beyond helping customers measure the right things to collaboratively helping to identify issues, run remediations and drive improvements.
Charlotte gives a few examples:
‘A classic example is around vulnerabilities in the standard build – a metric that not many organisations would ordinarily measure. If there are vulnerabilities in the standard build, then you’re constantly re-introducing old vulnerabilities fresh into your environment. But if you can fix the standard build upstream, it can be hugely effective at reducing the number of vulnerabilities in the network.’ It’s a great example of how the SPM function helps customers to identify opportunities to improve their cybersecurity measurement processes.
Similarly, say an organisation finds that 25% of their endpoints are missing EDR, and 30% aren’t being scanned by the vulnerability scanner. If that is still the case after 3 months, then they may need some guidance on where to prioritise their remediation efforts. The same can be said for gaps in the CMDB, critical devices without an identified owner, production servers with local admin rights, and many more.
Some of the learnings and guidance we have provided in the past includes preventable exposure to vulnerabilities (such as in the above standard build example); policy and threshold setting (what does good look like?); or creating executive dashboards (what does the board need to see?). These are a few examples of where the SPMs provide actionable recommendations.
Teaming with Panaseer’s new Security Performance Management team, customers will benefit from high impact guidance to improve security posture, assistance with interpreting and actioning trends over time, and fundamentally reduce risk.