AFTER CONDUCTING a penetration test and addressing all the vulnerabilities it exposes, a company should feel confident in its cybersecurity posture. But that’s not necessarily the case. Cyberthreats change daily.
Continuous security validation is the confidence booster that most organizations need. It’s an ongoing testing method that employs various tools to verify your managed service customer’s security controls are working as expected.
Think of it as a daily check on security posture, says Erik Holmes, CEO of Cyber Guards, a managed security services provider in Memphis, Tenn.
The continuous method moves organizations away from “big bang” evaluations and remediation to a business-as-usual security validation approach, says Jon France, CISO for IT security organization (ISC)2. “Especially when it is automated, such an approach also bolsters good risk management and readiness scoring, which can show the organization’s posture at a moment’s notice,” he says.
When a Lot Isn’t Enough
Even when you deploy dozens of tools to build your client’s security posture, they can remain vulnerable to a breach. Defenses that are strong today or tomorrow can falter next week or next month. That’s the nature of the cyberbeast. Threat actors work tirelessly to refine their attack methods and introduce new threats.
It’s a tough challenge for any company to maintain robust defenses against an enemy that morphs constantly and draws from a seemingly endless supply of new tricks. By conducting continuous security validation—or having a service provider do it for them—organizations increase their chances of fighting off new and evolving threats.
Traditional penetration tests provide a snapshot in time, and the results can be overwhelming. “When you hand someone a mountain of problems, they sometimes won’t get started on addressing them at all,” says Holmes.
Continuous security validation changes that. When Cyber Guards finds problems, the provider hands a client prioritized lists so they can address the more pressing vulnerabilities more quickly, he says.
Despite its obvious benefits, continuous validation takes some getting used to. “One challenge with implementing continuous security validation is changing your mindset and moving toward an always-on method of dealing with validation and the results,” says France.
“You’ll have to fine-tune and find a balance so you’re not going into panic mode over false positives or ignoring alerts because you’re receiving too many, too frequently.”
Eventually, however, most companies become comfortable with continuous security validation. After all, says Holmes, the approach supports an organization’s growth and health over time.
When Cyber Guards runs its first pen test on an organization, it can compromise 85% to 95% of the client’s environment. With continuous validation, those numbers drop to 8% to 12% in three months, says Holmes.
PEDRO PEREIRA is a freelance writer in New Hampshire who has covered the IT channel for two decades.
Image: iStock