5 Criteria for Validating Cybersecurity at any Maturity Level


family on laptop AdobeStock 312932945-1240x600

Since both cyberattacks and organization’s cybersecurity maturity level keeps evolving, how can companies avoid constant, expensive renovations to their security assessment solutions?

My previous two posts covered the 5 keys to measuring the ROI of your security architecture, and the 9 features and capabilities you should insist upon in a security assessment solution.

Now I’d like to address a conundrum I’m often asked about:

Since cyberattacks keep evolving, and the organization’s cybersecurity maturity level also keeps evolving, how can companies avoid constant, disruptive and expensive renovations to their security assessment solutions and processes?

The last thing your company wants to do, as it progresses up the maturity scale, is rip and replace its investments for assessing security vulnerabilities. The impact on ROI can be devastating—not to mention the impact on staff who might need to be retrained or forced to take on an even heavier workload.

Cybersecurity Validation Criteria

So, what are the underpinnings of an adaptive assessment solution? There are 5 criteria:

  1. Framework flexibility. Companies of all maturity levels are taking advantage of open, security frameworks such as MITRE ATT&CK and NetSecOPEN

    to set up a baseline measurement of security risks and test against the latest evasion techniques. However, as companies mature, these frameworks can become limited and restrictive in their ability to aggregate, correlate, and report on events and other data. Look for an assessment solution that can both support and integrate a variety of frameworks, so that data can be gathered and consumed flexibly as your maturity level grows.

  2. Choice of assessment methods. There are many tools and techniques for assessing security vulnerabilities—from scanning to pentesting to risk assessments and remediation. You should be able to use any combination of them at any time, regardless of your maturity level, according to your business priorities. For example, you should be able to move from reactive pentesting to continuous, proactive assessments seamlessly, without scrapping previous investments.

  3. Breadth of assessment capabilities. The assessment tools and solutions you choose should provide the broadest possible range of functionality, ideally incorporating all of the 9 features described in my previous post—from endpoint assessment to constantly updated threat intelligence to event correlation across the architecture, and more.

  4. Advanced automation. Look for assessment solutions that can help you automate a wide range of previously manual tasks such as scheduling, polling, and reporting, so that skilled staff can spend more time on higher-value tasks. Regardless of your cybersecurity maturity level, higher productivity and job satisfaction greatly improve the ROI of your security investments.

  5. Limited number of suppliers. To maximize efficacy and minimize cost and risk, you’ll want to constrain the number and variety of sources for security assessment tools and solutions to the lowest number possible—ideally a single source.

Adhering to these 5 criteria will help you minimize the disruption and growing pains as your maturity level increases, while maximizing the effectiveness of your security assessment capabilities. For details about Spirent’s uniquely flexible offerings, please read the executive brief about Spirent’s cybersecurity solutions.

Read brief右矢印アイコン

Like our content?

Subscribe to our blogs here.

Blog Newsletter Subscription

Ray Vinson
Ray Vinson

Senior Product Manager

Ray Vinson joined Spirent this year, having previously worked for MacAfee as a Group Product Manager. Prior to MacAfee, Ray was a Product Manager at Interop Technologies as a product manager on the Policy Control and CorePlusXSM solutions. Ray joined Interop in 2014, having previously worked as a senior technical marketing manager focused on the service provider market for F5 Networks. Vinson has more than 15 years of experience in developing products for the security and wireless service provider market. Ray currently has the Certified Information System Security Profession (CISSP) certification and the Certified Ethical Hacker (CEH) certification. Ray’s career has included software development, consulting, network operations, product management and product marketing and technical marketing. He also served in the U.S. Army as a signal intelligence analyst.