It starts with the commitment to a cybersecurity culture discussed above, but CISOs I spoke with also worked with CIOs, line of business managers, and human resources folks to create the right workflows, automations, reports, messaging, and even employee compensation benefits to motivate cooperation across disparate groups and individuals. Security becomes far more effective when CISOs regularly team up with CIOs to uncover bottlenecks and review progress.
10.Reinforce VM with continuous efficacy testing.
Years ago, I created an awkward acronym, SOPV, which stood for security observability, prioritization, and validation. The acronym never caught on, but the CISOs I spoke with have accepted (or are accepting) the notion of continuous security validation testing.
Of course, verification is one of the phases of the vulnerability management lifecycle, so what’s changed? Many firms have moved from periodic penetration testing to continuous security testing with new tools or managed services. MITRE calls this a threat-informed defense. In this way, organizations not only verify vulnerability remediation, but they also test controls efficacy and provide a blueprint for detection rules engineering.
