In the first installment of this three-part series based on our recent white paper, The Skeptic’s Guide to Buying Security Tools, we outlined an evidence-based approach to helping your organization justify a new security tool purchase. This included identifying where security gaps exist, if those gaps could be filled by existing tools, and—if not—how to evaluate potential tools that could help. In today’s post, we’ll consider another side of the investment equation: how to future-proof your investment by determining what forward-looking business and security initiatives a new tool may be able to support or streamline. 

What future business-level activities can the tool support? 

Both risk and change are a given. They are also—to some degree—beyond your control. So, we can start with the known: your organization’s own plans for growth and market differentiation. Strategic considerations might include:

• Where do you stand in terms of securing current or planned digitalization and remote work?
• Are you migrating vital business workflows to the cloud? 
• Is senior leadership exploring potential merger and acquisition (M&A) activities?
• Are new mandates for data privacy taking effect in your industry?

At first glance, the last two bullets might feel too far “upstream” from security tool discussions, but that’s not necessarily so. One well-publicized data breach can put the kibosh on a merger or acquisition. The wrong decision can cost leaders their jobs or put critical infrastructure, public safety, and even life itself at risk, all of which will attract attention the board would rather avoid.

Even if security teams aren’t fully privy to all future business plans, you can gauge whether investments in new tools, services, or platforms may equip you to pivot and become more agile and proactive, something every company wants and will eventually need to do. 

In addition to industry and government requirements for protecting data privacy, many businesses and sectors are also under pressure to adopt or follow security frameworks and modern best practices. These include:

• The National Institute of Standards and Technology (NIST) Cybersecurity Framework
• The MITRE ATT&CK knowledge base of attacker tactics, techniques, and procedures (TTPs)
• The Continuous Threat Exposure and Management (CTEM) program outlined by Gartner
• The prevailing assumption that every organization must one day maintain a Zero Trust security posture 

Frameworks like these are important to help ensure all aspects of a security program are being considered. But they’re just a start and won’t provide the prescriptive guidance a business needs to understand which security controls and procedures will work best for their unique case. That’s why many new rules and guidelines specifically prescribe continuous monitoring for threat exposure and validation of your current security controls. For risk and security management leaders, the question isn’t just “What happens next?” but rather “How can we prove we’ll be ready for what happens next?”

This is where automated, continuous security validation offered by breach and attack simulation (BAS) tools like the SafeBreach platform come into play. SafeBreach enables users to execute targeted attack scenarios across a wide variety of tools and controls to optimize their specific set of configurations, pinpoint inefficiencies in their stack, and prove adherence to regulatory or compliance requirements.

That said, even with careful planning and execution, achieving compliance doesn’t automatically mean you’ll be able to stop threats. You must continue to test to ensure prospective tools streamline rather than complicate your ability to meet regulators’ requirements—and create audit trails to prove it.

Can the tool help identify risk within our third-party ecosystem?

 

In both cases, efforts to qualify or quantify third-party risk might involve a mix of security ratings, Google searches, checking the Dark Web for compromised credentials, and automated or hands-on testing. Along with BAS, other validation tools for obtaining an outside-in view of internal and external risk might include penetration (pen) testing, red/purple team exercises, external attack surface management (EASM), and vulnerability scanning. As the only continuous approach able to simulate attacks, BAS can inform these other efforts to produce highly actionable results.

---

Interested in a deep-dive on the pros and cons of each of these technologies? Check out our Six Methods to Test Your Organization’s Resilience to Cyberattacks white paper.

---

Will we be safer tomorrow than we are today?

Stay tuned for the next installment in this three-part blog series to see how skeptical buyers can answer the question of “Will we be safer tomorrow than we are today?” by proving the value of a tool once it’s purchased and implemented. To learn more about the skeptical buyer’s approach today, download the complete Skeptic’s Guide to Buying Security Tools white paper.

Interested in putting your skeptical buyer skills to the test to see if BAS might be the right tool for you? Check out our Four Pillars of BAS white paper or schedule a demo with a SafeBreach cybersecurity expert.