How to Define Your Security Posture, and Why it Matters

Not only do cybersecurity organizations need to deliver the level of security required to protect corporate assets, they also need to align with the strategic goals and objectives of the business. By defining, establishing and managing your organization's cybersecurity posture, you can deliver the results needed for the business to be successful.

Defining Your Security Posture  

A disciplined approach to defining your initial security posture will help you align with and support business outcomes. To align your cybersecurity program with the goals and objectives of the enterprise, you need to define your attack surface and the controls required to protect it. Start by focusing on a manageable set of assets with the highest business relevance, then expand that scope over time.

Select Controls that Define Your Security Posture

By assessing how aligned your security posture controls are with your security target, you can establish a scale that communicates how well it protects the attack surface.

Using a security framework to define your security posture will help you consider a  comprehensive set of security controls across control families. If your organization has a common controls framework (CCF) that supports your compliance programs, that’s a good place to start. If not, you can use an industry standard like the National Institute of Standards of Technology’s (NIST) framework to establish the scope. Because not all controls within a framework contribute equally to the security posture, the first step is to identify the controls within each control family that have the most meaningful security impact. Consider not only the individual controls, but also the attack surface they protect, then review all the controls that deliver the security intent of their control family.   

Targeting the most impactful controls excludes those that are low impact and that don't directly contribute to the security posture, including those focused on documentation and those focused solely on compliance requirements.    

This approach will help you define a manageable and meaningful initial security posture that can mature and grow over time. It’s far more effective than including a comprehensive set of controls, which adds a level of complexity that makes it difficult to manage your security posture and accurately represent the level of security it delivers.

Establish a Scale 

Once you’ve identified the set of controls that define the security posture, you need a metric that accurately represents it. Since business partners are the primary audience of the security posture assessment, this metric needs to communicate the effectiveness of the controls overall, and across each control family, in a way that’s easy to understand — and meaningful to business partners. 

Measure the Effectiveness of Your Controls

To measure the effectiveness of your controls, identify the key performance indicator (KPI) for each control and, based on the targeted impact of that control, the service level objective (SLO). To do this, establish a scale by which to score all controls based on their effectiveness. 

A simple but effective approach to representing the effectiveness of individual controls is to apply a numeric scale of 1-5, with five being the most effective. Using this scale, determine the maximum possible score for the controls in the security posture, and the maximum possible score for each control family. Then, score efficacy as a percentage of that maximum score in order to show a clear performance assessment:

• > 90% - strong security posture
• 80 - 89% - solid security posture
• 70 - 79% - stable security posture requiring attention
• <70% - security posture requires attention  
   

This method of scaling allows you to clearly represent the overall effectiveness of your security posture (and each of the control families within it) in a way that also supports establishing security posture targets that align with business initiatives. 

The three main steps to defining your security posture are:

• Select the controls and control families that define your security posture.
• Establish a scale that shows how effectively your controls protect the attack surface.
• Measure the effectiveness of your controls, and your security posture overall.
   

In the next blog, we’ll take a deeper look into key themes and findings in organizational-level risk.

----------------------------------------------------
Thanks!
Brian Spanswick