• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to footer

Cybersecurity
Asset ManagementPRESENTED BY

  • Home
  • Features
  • Video
  • Resources
You are here: Home / Features / Life as a CISO: How do CISOs make sense of all the cybersecurity tools?

Life as a CISO: How do CISOs make sense of all the cybersecurity tools?

By Lenny Zeltser

Let’s talk about why Chief Information Security Officers often struggle justifying cybersecurity purchases and which practical frameworks can help with such efforts.

Like other enterprise executives, CISOs must defend their budget requests. Year after year the company hears that the CISO demands money for more projects, more products, more staff. We used to justify these requests by talking about defense in depth—the notion that a single layer will eventually fail, so we must deploy multiple layers.

Defense in depth is still valuable concept, but it alone is insufficient for justifying expenses because it doesn’t help answer the question, “How much defense is enough?” Also, it doesn’t really help clarify which security layers you need. 

That’s where modern security frameworks come in. A couple of examples:

  • CIS Critical Controls provides consensus-based guidelines that specify minimum reasonable security measures. If any of the practices are missing from the company’s security program, a CISO can point to this list to justify the request for people, process, and technology. Note that the first control in this framework is asset management of devices, and the second is asset management of software.
  • NIST Cybersecurity Framework (CSF) provides a comprehensive listing of the security measures an enterprise should consider implementing. It’s more detailed than Critical Controls. CSF groups measures into five categories: Identify, Protect, Detect, Respond, and Recover. It also provides pointers to other frameworks, including Critical Controls, NIST SP 800-53, and the mighty ISO 27001. CSF is gaining strong traction among government and commercial organizations in the US and world-wide.

How can CISOs confirm that they have the necessary tools–not too few and not too many? Critical Controls offer a nice start, but aren’t very detailed. CSF is extensive, but can be overwhelming.

The Cybersecurity Defense Matrix, created by Sounil Yu, offers a handy way to begin organizing security tools and identify portfolio gaps. This matrix can help CISOs structure their capabilities related to devices, applications, networks, data, and users. It uses CSF categories for the columns and makes it convenient to identify areas that might have too many or too few security measures:

If you know about what Axonius does, where would you place our product in this matrix? Our cybersecurity asset management solution fits squarely in the Identify column, drawing upon multiple data sources to identify devices, applications, networks, and users. And we help customers derive more value from their technologies that exist in the other columns by integrating with them to remediate asset gaps we’ve identified.

The more squares of the Cyber Defense Matrix technology covers, the more value it offers, which allows it to demand a greater portion of the CISO’s budget. Like other CISOs, I’m looking at this table alongside other frameworks to prioritize efforts related to our own security program.

Primary Sidebar

The asset management challenge

Tweets by AxoniusInc

Footer

Cybersecurity Asset Management is a partnership between Axonius and SC Media. Its mission is to highlight best practices, thought leadership and important trends related to IT asset management’s evolving role in cybersecurity.

SC Media is cybersecurity. For 30 years SC Media armed information security professionals with in-depth and unbiased information through timely news, comprehensive analysis, cutting-edge features, contributions from thought leaders, custom research, and independent product reviews in partnership with and for top-level information security executives and their technical teams.

Axonius is the cybersecurity asset management platform that gives organizations a comprehensive asset inventory, uncovers security solution coverage gaps, and automatically validates and enforces security policies. By seamlessly integrating with over 200 security and management solutions, Axonius is deployed in minutes, improving cyber hygiene immediately.

Contact Us

© 2020 Axonius & SC Media