January 8, 2016

Cybersecurity effectiveness will be measured by risk reduction, not technology deployment

Many businesses today begin securing their data with a checkbox.

That is, a chief security or information officer is told, “We need to secure X,” thus the goal becomes, “Find a solution to tick the ‘X’ security checkbox.” This is how we measure the security of our information today, by itemizing the technologies we’ve deployed across an organization. Unfortunately, this kind of mentality gets in the way of rational thinking about how to solve real security problems enterprises are facing today. The security industry and its customers alike must move away from a checkbox mentality toward considering true risk reduction: how does this technology measure its success?

Though it seems obvious — people researching their security technologies and those technologies, in turn, proving their worth — but we have a reactive paradigm that throws technology at a problem in order to cover liability. The new world of accountability is actually a tall order for CSOs, CIOs, and security vendors alike. We’re all going to be held to higher standards. We share a burden of proof.

Screen Shot 2016-01-08 at 11.29.44 AMIn the past, security technology wasn’t as regularly tested in the “real world” as it is today. That is, breaches are happening and being publicized at a far higher rate than ever before. There are seemingly multiple breaches a week. This means the security technology behind those breaches may get 15 minutes of undesired fame and the CSO gets a meeting with her boss.

Going forward, security vendors will need to answer the question, “Does this security technology work?” Security stakeholders within an enterprise will answer the question, “Does this security technology work for me?”

In mobile security, specifically mobile threat protection, we care about stopping known malware from infecting devices, identifying unknown malware, and something called “dwell time,” or the length of time between the malware appearing on a person’s device and the mobile security technology first detecting it.

Currently, there’s a lot of misunderstanding as to what these success metrics really mean. For example, there are a number of tests out there that test whether a solution can detect known pieces of malware. Unfortunately, this kind of isolated measurement only looks at what we know and not what is still living in the shadows and, maybe most importantly, how long it takes for a security technology to detect any kind of malware once a device encounters it.

Accountability should be evident in the product as well. For example, we don’t make the assumption that individuals using Lookout Mobile Security understand the ins-and-outs of security, so we present them with education to help them understand the threat they may be facing and what they can do about it. Enterprise IT administrators, however, are experts in the field who need deeper analytics that can surface, within a half second of a threat appearing on an individual’s device, threats to the enterprise and provide the ability to act.

It’s a shifting landscape of responsibility and accountability, but a worthy shift. Headline-making breaches pack the pressure on our solutions to show they work and on enterprise decision-makers to prove they’ve reduced risk. Checking the box isn’t going to last.

Leave a comment