Chief information security officers working at high-profile enterprises know their jobs are as much about guarding their organization’s brand reputation and trust as they are about IT security.
But to ensure that trust, CISOs need to know whether their security investments are actually working, and that calls for having metrics that matter to senior management, according to a new report.
“It’s all about measurement,” says Home Depot CISO Stephen Ward, in remarks quoted in “The 2019 Trust Report,” released by Synack. “CISOs need a way to present security to their executive team and board in a way that clearly demonstrates and measures business risk to the organization. The executive team doesn’t want to talk about security — they want to talk about risk.”
The report provides CISOs with a framework for using data from their security programs to gain a clearer sense of their organization’s ability to withstand damaging cyberattacks — and communicate that ability to senior management more quickly, using a trust scoring system.
With Synack’s proprietary Attacker Resistance Score, CISOs have a way to gauge the level of effort or cost real-world attackers must exert to penetrate their systems. The score captures the severity and quantity of vulnerabilities discovered in individual assets and measures how efficiently an organization resolves identified issues. Those and other measures give CISOs greater ability to know where to prioritize their efforts, the report says.
The report provides a snapshot of how well organizations are performing across nine industry sectors, based on thousands of crowdsourced penetration tests and vulnerability assessments conducted by Synack. The organizations represented in Synack’s research include globally leading financial services, retail and health care firms, as well as a significant number of U.S. government agencies.
The Attacker Resistance Score tracks testing from Synack’s Red Team, a global network of white-hat hackers, and AI technology that continuously probes and tests an organization’s defenses. Synack generates a score between 0 and 100 for every asset, assessment and organization; the higher an organization’s score, the higher its attacker resistance.
Among other findings in Synack’s global research: Organizations using crowdsourced penetration testing over a two-year period consistently have an Attacker Resistance Score up to 200 percent higher than those that are either not using a crowdsourced approach, or having done so for less than one year.
And those organizations which conduct security testing continuously have 43 percent higher Attacker Resistance Scores on average than those that test on a point-in-time basis.
Additionally, the findings indicate the severity of attacks among the organization surveyed in the report declined at a compounded annual growth rate of 4 percent over the past two years. This aligns with security teams’ ability to find vulnerabilities earlier and reduce the severity of their impact.
“Historically, [benchmarking] has been extremely difficult to do, but the Attacker Resistance Score has presented CISOs with a new tool and opportunity,” said Synack co-founder and CEO Jay Kaplan in the report. “When you have a quantifiable measure, you can then start to improve your situation.”
The report suggests that a crowdsourced approach to penetration testing can offer organizations the scale and diversity of a global hacker network, while also providing unique insights, analytics and remediation advice.
This article was produced by CyberScoop for, and sponsored by, Synack.