New Episode of The Cyber Show: Measuring Security

This episode of The Cyber Show explores the challenges and innovations in measuring security, particularly through the lens of a company called Secor (pronounced "Secor" in Norway). The discussion centers on whether security can be quantified, how automation and AI might assist in this process, and the practical applications for organizations struggling with compliance and risk management. The guests—Dr. Basil, a professor of information security, and Ryan Maruga, a business development manager at Secor—share insights into their company’s approach to security metrics, the role of AI in security planning, and the difficulties of comparing security products in a crowded market. One of the core topics is the concept of measuring security quantitatively. Traditionally, security has been assessed qualitatively, relying on checklists, expert opinions, and subjective evaluations. Secor proposes a framework that assigns numerical scores to security assurance by balancing two key factors: requirements (controls that improve security) and vulnerabilities (weaknesses that reduce it). For example, a system with more security controls—such as firewalls, encryption, or access management—would score higher, while known vulnerabilities would lower the score. The company uses a weighted system where controls and vulnerabilities are assigned importance based on their impact, allowing organizations to compare systems or configurations objectively. This approach mirrors software engineering metrics, where complexity and test coverage are used to gauge quality, but applies it to security. The practical implication is that organizations can move beyond vague compliance checks and instead use data-driven insights to prioritize security investments, especially when budgets are limited. Another major focus is the role of AI and automation in security planning. The guests emphasize that while AI is often overhyped, it can play a valuable role in processing large volumes of data, such as security policies, risk assessments, and compliance standards, to generate actionable recommendations. For instance, AI can analyze documents to suggest relevant security controls or identify gaps in an organization’s defenses. However, the guests stress that AI should not replace human judgment—it should assist by reducing manual effort, such as automating the generation of test plans or mitigation strategies. Secor’s platform, for example, uses AI to help organizations benchmark themselves against industry standards like ISO 27001 or GDPR, but the final decisions remain with security professionals. This hybrid approach addresses a common pain point: the overwhelming amount of paperwork and manual processes involved in compliance. By automating repetitive tasks, organizations can focus on strategic improvements rather than administrative overhead. The episode also delves into the challenges of comparing security products and tools. Many organizations rely on vendor relationships or subjective evaluations when selecting security solutions, which can lead to suboptimal choices. Secor’s platform aims to provide an objective way to compare products by evaluating them against standardized metrics. For example, a CISO could use the tool to assess whether a new firewall or endpoint protection system meets their organization’s specific requirements and how it stacks up against alternatives. The discussion highlights the importance of tailoring evaluations to an organization’s unique environment—whether it’s a Linux-heavy infrastructure, a Windows-dominated one, or a mix of both. The tool allows users to create custom security assurance profiles, combining multiple standards (e.g., GDPR, ISO 27001, or industry-specific regulations) into a single evaluation. This flexibility is particularly useful for sectors like healthcare or critical infrastructure, where compliance with multiple overlapping standards is required. The practical takeaway is that organizations can avoid redundant or conflicting controls while ensuring they meet all necessary requirements. Finally, the conversation touches on the broader implications of security metrics, including the risks of data collection and the need for transparency. The hosts raise concerns about the sensitivity of the data Secor’s platform might process—such as network configurations, vulnerabilities, and risk assessments—and how it is secured. The guests acknowledge that while Secor follows industry-standard security practices (e.g., encryption, access controls, and compliance with frameworks like Cyber Essentials), they do not currently use advanced techniques like zero-knowledge proofs or homomorphic encryption to anonymize data. This highlights a tension in the security industry: while automation and cloud-based tools offer convenience, they also introduce new risks if sensitive data is mishandled. The episode underscores the importance of balancing innovation with caution, particularly when dealing with data that could be a prime target for attackers. Additionally, the guests discuss the challenge of keeping up with the rapidly evolving threat landscape, noting that Secor’s platform is designed to be adaptable, allowing users to update their evaluations as new standards or vulnerabilities emerge. The episode concludes with a discussion on the future of security metrics and the role of AI in the field. While the guests are optimistic about the potential of automation to improve security decision-making, they caution against overreliance on AI, emphasizing that human expertise remains critical. The conversation leaves listeners with a nuanced understanding of how security can be measured, the trade-offs involved in automation, and the practical steps organizations can take to improve their security posture. For those interested in exploring these ideas further, the full episode is available at https://cybershow.uk/content/episodes/measuringsecurity/measuringsecurity.html.