Security teams and leaders have a lot of stuff to manage. I would welcome any challenge to that notion, but I simply do not see a path to stating otherwise, especially in a reality where organizations have 60-70 security tools and a primary charter that involves more than a handful of technical disciplines. This complexity is compounded by the transition from enterprise digital transformation to pure proliferation; it feels like every other week organizations are onboarding a new technology that has implied security risk. This is a problem that is challenging to manage on a human scale, which I’d argue is the reason we have an entire category of products designed to lower the risk management bar for the security and enterprise stack, that being security posture management. So, why are we still struggling? Consider two things as a starting point:
- The length of this statement: We’ve seen the rise of impressive technologies throughout the posture management space (some more than others), such as Cloud Security Posture Management (CSPM), Application Security Posture Management (ASPM), Data Security Posture Management (DSPM), Network Security Posture Management (NSPM), and now AI Security Posture Management (AI-SPM).
- ChatGPT’s second-round definition of a “posture score” (referencing a ChatGPT response might be a genius proof of non-AI content): A posture score is a quantitative measure that evaluates an organization’s overall cybersecurity health and readiness. It reflects the strength and effectiveness of an organization’s security posture by assessing various security controls, policies, and practices in place.
Aside from “overall” doing a lot of work in that definition, there are two primary issues with this starting point.
First off, ChatGPT is omitting a key element in monitoring the value of existing investments. Am I making the best use of technology X? This is a very important question that security teams still struggle with, which unfortunately cannot be confidently understood without considering the art of the possible for each investment in the totality of their risk environment, not just the silo that technology belongs to. Health and readiness are paramount, but it cannot be a blank check; we need to be able to explain what we’ve done and what we’re going to do with often limited resources.
Which brings us to the second issue; if you walk that definition across the first statement, a list of security posture product categories, you end up with 5+ “overall” scores. I’d love to make the credit-score comparison here, but the fact is that each of those technology types are looking at fundamentally different things, with none of them being a true “overall” score. By no means am I implying that there is no value generated in by those products, but each is nonetheless a silo of work that requires prioritization within a larger bucket of security team and organizational concerns & mandates. We as an industry have leveled-up from the vector-to-vector approach to managing security risk and technologies, but the approach is still far too distributed to enable security teams to prioritize with absolute conviction. What if we had a method for encompassing all technology disciplines into a single point of operationalized security reasoning?
Pellonium Risk Intelligence is that the center of unified risk awareness, prioritization, and value optimization. Across the digital enterprise, whether it’s a security tool policy, cloud configuration, SaaS application entitlement, Pellonium will make sense of its role in a broader scenario-based risk environment. Our SaaS platform moves security teams beyond vector & threat whack-a-mole, enabling them to model each knob & lever in their security and business stack for the purpose of prioritizing their efforts and understanding the risk-reduction value of their existing security investments.
To learn more, visit us at Pellonium
