Security Posture. I’m hearing this term more and more and it makes sense… in a world when clarity is key to moving forward, we need clear definition of ” where we stand with security”.

I won’t go into the definition. Instead, I want to address the Exposure element, or more clearly the lack of EXACT FIGURES in your exposure information. I think best practices for Risk Assessments are missing the “how much exposure do I have” numbers for many CISO and Cyber Consultants.

When building your security posture, from my experience and based on my methodology (the Boardish Methodology) you should have the following information:

List of the most high-risk threat, for each risk:

• What is the chance of losing market position?
• How many turnover days lost?
• How many workdays lost?

List of your best solutions to tackle the above threats. For each solution:

• What is the efficiency of the solution in mitigating the risk both on-prem and cloud? This is a percentage figure that I think that both the CISO and IT MUST be able to quantify. If you can’t say the minimum level of efficiency of a cyber tool – what is point of having it?
• Total (Real) solution cost. Including every aspect like design, purchase, deployment, maintenance.

But, the most important number, in my opinion, is the Exposure left AFTER I calculate the impact of the solutions.

With Exposure numbers, I can have clarity when discussing my Security Posture with both the board and even Internally with Ops, IT, Sales and other departments.

With Exposure figures, the board can decide if they can “live with the level of exposure” or if you as the CISO are required to reduce it more (which, in most cases, will mean investing more into solutions)

So, to answer my headline question of ‘can you define a clear security posture without quantifying risk exposure figures?’ the simple answer is… no, you can’t. :). You need clarity, you need figures, and you need quantification to fully understand and maintain your security posture.