Security hygiene and posture management: A work in progress – TechTarget

It may be high priority, but organizations still approach security hygiene and posture management haphazardly in silos, which opens doors for cyber adversaries.

Security hygiene and posture management is the bedrock of cybersecurity. But before thinking about acceptable use policies, security awareness training or an assortment of security technologies, organizations must have a full understanding of the assets they possess, who owns them, what those assets are used for and whether they are configured securely.

Each standards body and security best practice, such as NIST-800 series, CIS Critical Security Controls and ISO 27001, and every security regulation -- including HIPAA, PCI DSS and FISMA -- start with a mandate for strong and continuous security hygiene and posture management.

To put the topic in context, think of security hygiene and posture management as the practice of locking and maintaining the integrity of all your doors and windows to protect your house and family from intruders. But what if you live in a European castle with dozens of family members and hundreds or thousands of doors and windows? Different staff members throughout the castle are responsible for maintaining and locking a designated subset of the total, and your safety depends on all these people getting it right, which is extremely difficult to monitor or verify.

The example above summarizes the state of security hygiene and posture management today -- distributed, siloed and difficult to keep up with. Recent research from TechTarget's Enterprise Strategy Group illustrated the following issues:

CISOs see these problems and realize that things are getting out of hand. The research also pointed to the following steps organizations are taking to address security hygiene and posture management at scale:

Regardless of the category, these tools are designed to provide visibility into blind spots, aggregate and analyze siloed data, and deliver some type of risk-based guidance on which issues to prioritize. Historically, security hygiene and posture management technologies received little venture capital funding, but given the growing attack surface and sophisticated threats the Silicon Valley Sand Hill Road crowd is jumping onboard.

Soon after I joined Enterprise Strategy Group in 2003, I gave a presentation on vulnerability management at a security conference. I talked about best practices, division of labor and tools. When it was time for the Q&A, a few audience members posed the following questions: "How do we know we've discovered all the assets?" and "How do we prioritize which vulnerabilities to patch?"

Twenty years later, our research indicates we haven't adequately answered those questions, while the scale of the problems has increased exponentially. Our windows and doors are fragile and often open when we think they're strong and locked. Without a security hygiene and posture management baseline, cybersecurity protection becomes little more than a roll of the dice.

Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.

Go here to read the rest:

Security hygiene and posture management: A work in progress - TechTarget