As a CISO, your job is to set up a balanced security program that defends your company against a variety of cyber attacks. It’s not an easy task: typically, it takes years before a security program reaches maturity. Maintaining your company’s security program is even more difficult. How do you ensure you continuously stay on top of the latest cybersecurity threats? The answer lies in continuous security controls validation.

These days, it is difficult for companies to keep up with the rapidly changing world of cyber security. According to the latest data breach report by IBM and the Ponemon Institute,  the cost of a data breach in 2021 is $4.24 million, a 10% rise from the average cost in 2019 which was $3.86 million. Additionally, the global average cost of cyber crime is expected to peak at $6 trillion annually by the end of 2021, driven by the proliferation of ransomware attacks.

As a CISO, you may find yourself in a conversation with you board of directors, discussing the above figures. The board questions the returns on the company’s $15 million cyber security investment, how to measure success, and whether the company is actually being protected…

For many years, it’s been very hard for CISOs to supply metrics to board members. Many CISOs have been able to tell their boards how many attacks they defended against annually. Yet, it’s often hard to give additional context and explain their security program’s effectiveness in more detail and in C-Suite level language: exactly how effective their security measures were, and what they did to get them to that stage of effectiveness.

Enter Continuous Security Controls Validation

In recent years, companies have had a more aggressive approach to testing security controls continuously through Breach and Attack Simulation (BAS). These BAS platforms offer continuous automated simulation of a variety of cyber attacks. With continuous security controls validation, companies can simulate different types of cyber attacks including insider threats and lateral movements by attackers. This new way of continual testing has given companies the feedback they need to be successful, benchmarked against the MITRE ATT&CK framework.

Security validation seeks to answer the following questions:

  • Are our security controls protecting us from cyber threats?
  • Is our SOC/Incident Response team detecting attacks?
  • Are we responding to incidents in an effective and timely manner?

At the core of continuous security controls validation is a platform that operates by closely mimicking real threats by performing actions to see if they’re caught by security controls. Solutions, like Validato, also provide a way to test security environments without impacting your end-users. It is possible for CISOs to now be armed with the information they need to defend their organisation by using automated tools.

Continuous security controls validation platforms perform continuous probes of a company’s IT environment for weaknesses, while also providing up-to-date information. As a result of continuous probing, CISOs can be informed about weaknesses in their company’s IT environment and use this information to address the rest of the C-Suite and board of directors about cybersecurity resources, expenditures, and requirements.

Closing the Loop

It’s worth noting here that continuous security controls validation isn’t intended to replace other cybersecurity measures. However, it can form a crucial part of a holistic cyber security operations model. The goal is to mimic potential breaches or attacks, which helps companies stay up-to-date on their cyber defence strategies. Also, when used in conjunction with real-time threat detection and response (containment and isolation), these simulations can help move companies towards a stronger security posture.

You may be tempted to try to replace penetration tests or red team attacks with a continuous security controls validation platform that runs automated checks of company cyber security. Though there is some overlap between the two approaches, you should use both for maximum security. For example, penetration tests can happen randomly every few months, whereas continuous security validation platforms can operate continuously.

Penetration testing or red team attacks can bring a human element into attack simulations and help companies identify areas that need more security. For example, a company might use penetration testing to identify vulnerabilities and use their continuous security controls validation platform to focus a red team attack on areas that a company believes may need additional scrutiny. In return, the red team might be able to point out new methods that the company can use to expand their continuous security controls validation platform and explore new ways to protect their company.

The Bottom Line

Data breaches are dangerous, especially to small and medium-sized businesses. In fact, 60% of small companies that suffer data breaches end up going out of business within six months. That’s why it’s important for businesses to take a proactive approach to cyber security. It means making sure you’ve updated your software, conducted penetration tests, and are aware of how to avoid potential threats.

Contact Validato for more information regarding continuous security controls validation.