If you spend a lot of time speaking to IT security executives, as I do, the primary challenge that they’re all dealing with today quickly becomes very clear.
Driven by the continued proliferation of security threats, compliance mandates, and specifically the amount of security systems and event data that they’re now trying to manage, they lack a strategic method for accurately determining their real risk to attacks, or assessing their organization’s potential to fail required security audits.
It’s a discussion with so many different layers that it’s sometimes hard not to get stuck on an individual element of the entire process, and IT executives feel more pressure than ever to be able to create benchmarks to prove to business leadership and external assessors that their efforts to address these security challenges are paying off.
Over the last year, we here at Core have begun to share our vision for the direction that we’re moving in as a company via an entirely new line of products that we’re currently building aimed directly at arming CISOs and other IT leaders with the ability to tackle this problem they share.
What security executives need is a better way to continuously test their security standing across a broad swath of IT assets in relation to real-world risks – to understand precisely where their biggest exposures exist at any given time. They simply cannot test and measure those risks in any practical fashion today, and they will readily admit it as well.
The continued explosion of security information and point solutions have made the entire process of security management a convoluted practice that forces organizations to try to parcel together disparate repositories of complex data; a process that still leaves them wondering where the loopholes may be that will allow an attacker to steal their most valuable information, or will lead them to fail a compliance audit. That is a real problem, but, that’s also just where we believe that Core’s products can truly help.
Adding New Voices
Today, we announced the formation of our new Advisory Board, highlighting the fact the three of the most influential people in IT security today – Roland Cloutier, CSO of payroll giant ADP, former White House cyber-security advisor Melissa Hathaway, and John Stewart, CSO of networking and security behemoth Cisco – have signed-on to help guide the future of our company and its products.
Like those us who have been here at Core through the years, these three leaders firmly believe that there is a tremendous opportunity to leverage the powerful results provided by penetration testing in a totally new and extremely valuable manner. And when you can get people like Roland, Melissa and John not only to share that vision and give you their time, but also to help you translate your ideas into something tangible – a product that we’ll introduce before the end of this year – that’s something that’s really quite special.
These experts are joining Core and feeding our efforts because they truly believe that we’ve got the opportunity to dramatically change the manner that organizations assess and prioritize their IT security risks. Just read what they have to say.
In the quote he provided for our public launch of the Advisory Board, John says: “The security industry needs creative thinking, proof that efforts we undertake are making a difference, and a willingness to challenge ourselves before our adversaries do.”
That perfectly crystallizes the reason why we’re expanding our product line. Because, quite simply, IT security has become such a complex, expensive and time-consuming point of organizational risk that we can’t afford not to test ourselves just as attackers do every day – to understand that the investments that we’ve already made in defending ourselves are truly paying off.
We can’t simply put up fences or collect log data after the fact and try to respond slowly over time anymore. Organizations need the ability to feed the raging rivers of security data generated by all of our IT systems through a smarter filter, something that provides us with a real-world form of risk measurement, not just a theoretical model.
Leaders of business need CISOs to stop telling them they think they’ve got all the risks covered and to provide specific benchmarks that track changes in security posture over time and prove that all the time and money being dedicated to improving IT security is worth it. Business leaders need to stop losing sleep at night wondering if they’re one misguided URL-click away from having the crown jewels of their organizations stolen right out from underneath their feet.
In the coming months I’m planning to meet with our Advisory Board many times, including next week at the RSA Security Conference in San Francisco, to get more of their ideas and feedback to further refine what this next generation of security testing and measure solutions will encompass.
We already know that we all share the same vision, and considering the company, that’s a very encouraging feeling.
-Mark Hatton, CEO