Security hygiene and posture management: A 2022 priority

While cybersecurity is complex and multifaceted, security certifications (i.e., CISSP common body of knowledge 8 domains), regulations (i.e., HIPAA, PCI DSS, etc.), and best practices (i.e., CIS critical security controls) all recommend starting cybersecurity programs at the same place: security hygiene and posture management.  Experts agree that strong cybersecurity starts with the basics, like knowing about all IT assets deployed, establishing secure configurations, monitoring “drift” from these secure configurations, prioritizing remediation actions based on risk scores, and validating that everything is working as it should.

As a simple analogy, think about maintaining your automobile.  If you follow best practices like regularly changing your motor oil, keeping your tires inflated at the recommended levels, and following the maintenance guidelines in your owner’s manual, your maintenance will be predictable, and your automobile will likely be reliable.

Yup, security hygiene and posture management fits neatly into the “ounce of prevention is worth a pound of cure” category, so you’d think that security professionals would institute military-like precision on how they configure and maintain IT assets.  Alas, that assumption would be dead wrong. 

Unfortunately, new ESG research reveals:

Security hygiene and posture management remains immature. Seventy percent of organizations have more than ten security tools to manage security hygiene and posture management, leading to operational overhead, data inconsistencies, finger pointing, and human error. Even more telling, 73% of organizations admit that spreadsheets remain a key aspect of security hygiene and posture management.  When you’re trying to manage a highly dynamic area with spreadsheets, you’re in trouble from the start. 

The external attack surface is vulnerable and prone to exploitation. Attack surfaces are growing quickly because of three common factors: more IT connections to third parties, increasing device diversity, and greater use of public cloud infrastructure. The combination of a growing attack surface and poor management can be toxic: Nearly seven in ten (69%) organizations admit that they have experienced at least one cyberattack that started through the exploit of an unknown, unmanaged, or poorly managed internet-facing asset. When it comes to attack surface management, cyber-adversaries are playing chess while defenders play a sloppy game of checkers.

Asset management depends upon tools, processes, and cross-departmental cooperation. When describing any type of security monitoring, vendors often paraphrase the famous quote, “you can’t manage what you can’t measure,” attributed to management guru Peter Drucker. Regrettably, security asset measurement AND management remains haphazard at best.  Organizations tend to use 10 or more asset inventory systems, devote nearly 90 person-hours to generate a single IT asset inventory, and conduct IT asset inventory audits every 2 months. Of course, this leads to numerous issues: 40% of security professionals say that conflicting data makes it difficult to get an accurate picture of assets, and 39% report that it is difficult to keep up with thousands of changing assets. Ol’ Peter Drucker would be shaking his head at this performance.  

Vulnerability management programs are fraught with challenges. Not surprisingly, it’s the same story with vulnerability management. When asked to identify vulnerability management challenges, 30% said keeping up with the volume of open vulnerabilities (tens of thousands of open vulnerabilities aren’t unusual at a large organization), 29% said automating the process of vulnerability discovery, prioritization, and mitigation, and 29% said coordinating vulnerability management processes across different tools. Despite years of trying, many organizations simply haven’t figured out how to cope with the scale of vulnerability management, so they continue to hack their way through.

It’s easy to spot a common problem here.  Different domains of security hygiene and posture management like attack surface management, asset management, and vulnerability management have been managed somewhat independently in the past—probably due to factors like skills specialization and technology usage.  A convenient kludge in 2008, but totally inadequate today.

While the research suggests a bleak security hygiene and posture management picture, there is some cause for optimism.  In 2022, innovative security vendors will deliver security hygiene and posture management platforms that aggregate tools, analyze data, apply risk scores, and even suggest high priority risk mitigation actions.  ESG calls this new category security observability, prioritization, and validation (SOPV) technology. 

I’ll be digging into more research details about security hygiene and posture management problems, some suggested solutions from survey respondents, and SOPV in future blogs.  Stay tuned!