Panaseer issues cyber measurement guidance to protect enterprises from compromise
June 2021 by Panaseer
Panaseer announces guidance on best practice cybersecurity measurements to help avoid incidents. Currently, there is limited industry guidance around the most important metrics to evaluate, and how to standardise calculations and policies as part of a high-quality security metrics programme. With the right metrics, organisations improve visibility into and raise their security posture, helping to limit exposure to successful attacks, such as ransomware, or vulnerabilities including FireEye or SolarWinds.
Among highly regulated, global organisations, Panaseer has determined that the top ten most frequently used security metrics are (in order of popularity):
1. Vulnerability remediation SLA compliance
2. Endpoint detection SLA compliance
3. Vulnerability scan coverage
4. CMDB inventory completeness coverage
5. Endpoint detection coverage
6. Vulnerability outlier analysis
7. Active Directory enrolment coverage
8. Application security scan coverage
9. Application security SLA compliance
10. Active employee leavers
Panaseer’s CCM platform includes these and hundreds of other best practice security metrics via its new in-platform Security Metrics Catalogue. In addition to Panaseer’s expertise, the Security Metrics Catalogue has been curated from a wide community of customers, industry experts, and framework organisations such as NIST and in collaboration with the Center for Internet Security (CIS). The proposition also provides recommendations to enable security teams to instantly improve their security metrics programme overall via metric groupings that include a ‘getting started’ collection, a peer-based recommendation collection, a customer favourites collection, and access to newly emerging metric suggestions.
The company is also sharing best practices with the broader industry, through a new free resource, the ‘Security Metrics Hub.’ It includes advice and educational security measurement material aimed to help enterprises overcome the challenge of determining the most impactful metrics for their programme. CCM is fast becoming a required capability for regulated enterprises. The technology is solving one of the biggest challenges in cybersecurity today – enterprises do not know if their security controls are providing full protection at any given moment. Last year CCM was included as a new category in Gartner’s Risk Management Hype Cycle.
Andrew Jaquith, industry veteran, CISO of QOMPLX Inc, and author of Security Metrics: Replacing Fear, Uncertainty, and Doubt, comments: ‘As W. Edwards Deming put it, ‘In God we trust. All others bring data.’ Organizations need trustworthy data to show that their cybersecurity programs are keeping them safe and reducing risk effectively. Panaseer’s Metrics Catalogue gives customers new options for using and sharing common cyber metrics, enabling better collaboration and elevating the state of practice.’
Mike MacIntyre, VP Product, Panaseer, adds: ‘The only way to prevent a cyber-attack from succeeding is to have the proper cyber controls in place. However, cybersecurity control failures have topped the list of executive concerns, according to a recent report from Gartner, Inc. on emerging risks. This problem is fuelled by a lack of industry standards in the metrics that organisations should measure and monitor to best protect themselves. We are solving this industry issue by providing a blueprint of best-practice metrics, which are available in-platform for our customers, supported with valuable information on our website that’s free for all.’
Last year Panaseer commissioned a study of 400 security leaders* working in large financial services companies. The vast majority (96.77%) of respondents claimed they use metrics to measure their cyber posture. However, less than half of respondents (47.75%) could claim to be ‘very confident’ that they are using the right security metrics.
Panaseer is bringing together industry knowledge and best practices to increase overall confidence in enterprise security measurement programmes.