New Episode of The Cyber Show: Measuring Security with Secor

This episode of The Cyber Show explores the challenges and innovations in measuring security, particularly through the lens of Secor, a company aiming to automate security planning, risk management, and compliance using advanced data processing techniques. The discussion centers on whether security can be quantified, how automation and AI can assist in this process, and the practical implications for organizations, especially small and medium-sized enterprises (SMEs). The conversation also touches on the ethical use of AI in cybersecurity, the role of standards in security assurance, and the importance of balancing automation with human oversight. One of the core topics is the concept of measuring security and whether it can be quantified in a meaningful way. The guests from Secor argue that security can indeed be measured by evaluating two key aspects: controls (which increase confidence in a system’s security) and vulnerabilities (which decrease it). Controls refer to security measures like firewalls, encryption, or access policies that help prevent or detect threats. Vulnerabilities, on the other hand, are weaknesses in a system that could be exploited by attackers. Secor’s approach involves assigning weights to controls and risks to vulnerabilities, creating a matrix that calculates a security assurance score between 0 and 10. This score helps organizations compare different systems or products objectively, rather than relying on subjective assessments or vendor relationships. The idea is rooted in the principle that simpler systems are often more secure, as complexity increases the likelihood of vulnerabilities. The episode draws parallels to software engineering metrics, where similar concepts have been used to assess code quality, though with mixed success. The practical implication here is that organizations can use such metrics to make data-driven decisions about security investments, prioritizing controls that offer the highest improvement in security assurance for the cost. Another major theme is the role of automation and AI in security compliance and risk management. Secor’s platform uses AI to assist in processing documents, generating recommendations, and automating parts of the security evaluation process. For example, AI can analyze security policies, risk assessment reports, and compliance standards to suggest relevant controls or identify gaps. However, the guests emphasize that AI is not a replacement for human judgment but rather a tool to expedite decision-making. The platform automates the generation of mitigation plans, showing organizations how much their security score could improve by addressing specific vulnerabilities and estimating the associated costs. This is particularly valuable for SMEs, which often lack the resources to conduct thorough security assessments manually. The episode also addresses concerns about over-reliance on AI, noting that while some companies claim to offer fully AI-driven security solutions, the technology is not yet advanced enough to handle complex security decisions autonomously. Instead, Secor’s approach focuses on augmenting human expertise with automation, reducing the time spent on repetitive tasks like report generation and allowing security teams to focus on strategic improvements. This hybrid model aims to make security compliance more accessible and cost-effective, especially for organizations struggling to keep up with evolving regulations. The discussion also delves into the challenges of navigating multiple security standards and the practical difficulties organizations face in achieving compliance. Many industries are subject to overlapping or even conflicting standards, such as GDPR for data protection, ISO 27001 for information security, and sector-specific regulations like those for healthcare or nuclear power. Secor’s platform allows users to combine multiple standards into a single security assurance profile, identifying where controls overlap or contradict. For instance, one standard might require an 8-character password, while another mandates 15 characters. The platform helps organizations prioritize controls based on their importance and the potential impact on their security score, enabling them to allocate budgets more effectively. This is particularly useful for CISOs, who often juggle multiple standards and need a holistic view of their organization’s security posture. The episode highlights that while tools like Secor’s can simplify compliance, they still require users to have a foundational understanding of security principles. The platform is designed to be user-friendly, with intuitive dashboards and educational materials to help users get the most out of it, but it is not a substitute for security expertise. A critical concern raised in the episode is the security and privacy of the data collected by such platforms. Since Secor’s tool evaluates an organization’s entire system, including networks, endpoints, and configurations, the data it processes is highly sensitive. The guests acknowledge this risk and explain that Secor follows industry-standard security practices, such as secure storage, multi-factor authentication, and access controls, to protect user data. However, they admit that the platform does not currently use advanced privacy-preserving techniques like zero-knowledge proofs or homomorphic encryption, which would allow data to be processed without exposing its contents. The episode underscores the broader tension in the cybersecurity industry between convenience and security, noting that while software-as-a-service (SaaS) models are popular, discerning users may prefer to run tools locally to retain control over their data. The guests also emphasize that Secor does not retain user data longer than necessary, aligning with the principle that data is a toxic asset that should be minimized. This discussion serves as a reminder that even security-focused companies must prioritize the protection of their users’ data, especially as cyber threats continue to evolve. Finally, the episode touches on the broader implications of automating security compliance, including the need to keep pace with rapidly changing regulations and threat landscapes. The guests note that Secor’s platform is designed to be flexible, allowing users to add new standards or update existing ones as regulations evolve. This adaptability is crucial in an environment where geopolitical risks, supply chain attacks, and new legislation constantly reshape the security landscape. The episode concludes by emphasizing that while automation can make security compliance more efficient, it is not a silver bullet. Organizations must still invest in training and expertise to use these tools effectively, ensuring that they complement rather than replace human judgment. The conversation leaves listeners with a nuanced understanding of how technology can assist in measuring and improving security, while also highlighting the limitations and ethical considerations of relying too heavily on automation.