Security Posture. I’m hearing this term more and more and it makes sense… in a world when clarity is key to moving forward, we need clear definition of ” where we stand with security”.
I won’t go into the definition, there’s a good one here by Balbix.
Instead, I want to address the Exposure element, or more clearly the lack of EXACT FIGURES in your exposure information. I think best practices for Risk Assessments are missing the “how much exposure do I have” numbers for many CISO and Cyber Consultants.
When building your security posture, from my experience and based on my methodology (the Boardish Methodology) you should have the following information:
List of the most high-risk threat, for each risk:
List of your best solutions to tackle the above threats. For each solution:
But, the most important number, in my opinion, is the Exposure left AFTER I calculate the impact of the solutions.
With Exposure numbers, I can have clarity when discussing my Security Posture with both the board and even Internally with Ops, IT, Sales and other departments.
With Exposure figures, the board can decide if they can “live with the level of exposure” or if you as the CISO are required to reduce it more (which, in most cases, will mean investing more into solutions)
So, to answer my headline question of ‘can you define a clear security posture without quantifying risk exposure figures?’ the simple answer is… no, you can’t. :). You need clarity, you need figures, and you need quantification to fully understand and maintain your security posture.
Explain why/how your solutions work, to a non-techy audience.