The Cyber Show Explores Measuring Security and the Role of AI in Compliance

This episode of The Cyber Show explores the challenges and innovations in measuring security, particularly through the lens of a company called Secor, which aims to automate security planning, risk management, and compliance using advanced data processing techniques. The discussion centers on whether security can be quantified, how automation and AI can assist in this process, and the practical implications for organizations, especially small and medium-sized enterprises (SMEs). The conversation also touches on the ethical use of AI in cybersecurity, the role of standards and compliance, and the importance of balancing automation with human oversight. One of the core topics is the concept of measuring security and whether it can be quantified in a meaningful way. The guests, Dr. Basil and Ryan Maruga from Secor, argue that security can indeed be measured by evaluating two key aspects: controls (which increase confidence in a system’s security) and vulnerabilities (which decrease it). They explain that traditional methods of assessing security often rely on qualitative checklists, where organizations manually verify whether they meet certain requirements from standards like ISO 27001 or GDPR. However, this approach is time-consuming and subjective. Secor’s methodology introduces a quantitative framework that assigns weights to controls and risks to vulnerabilities, allowing organizations to calculate a normalized security assurance score between 0 and 10. This score provides a more objective way to compare systems, products, or configurations, helping decision-makers like Chief Information Security Officers (CISOs) prioritize security investments. The technical concept here involves creating a 'security assurance profile' that aggregates requirements from multiple standards and evaluates them against a system’s current state. This approach is particularly useful for SMEs, which may lack the resources to conduct thorough manual assessments but still need to comply with industry regulations. Another major topic is the role of AI and automation in security metrics. The guests emphasize that while AI is often overhyped and misused in cybersecurity, it can play a valuable role in automating repetitive tasks, such as processing large volumes of documentation, generating recommendations, and even running automated tests. For example, AI can analyze security policies, risk assessment reports, and compliance standards to suggest high-level security controls or identify gaps. However, the guests stress that AI should not replace human judgment entirely. Instead, it should act as an assistant, providing suggestions that security professionals can review and refine. Secor’s platform uses AI to streamline the creation of test plans and mitigation strategies, reducing the time and effort required for compliance assessments. The practical implication here is that organizations can achieve compliance more efficiently, freeing up resources to focus on addressing vulnerabilities rather than paperwork. The episode also highlights the importance of transparency in AI-driven tools, as users need to understand how recommendations are generated to trust and effectively use them. The discussion also delves into the challenges of compliance and the complexity of navigating multiple security standards. Organizations often struggle with overlapping or conflicting requirements from different standards, such as GDPR, ISO 27001, or industry-specific regulations. Secor’s platform addresses this by allowing users to combine multiple standards into a single security assurance profile, identifying where requirements overlap or contradict. For instance, one standard might require an 8-character password, while another mandates 15 characters. The platform helps organizations prioritize controls based on their importance and the potential impact on their security score, enabling them to allocate budgets more effectively. This is particularly valuable for CISOs, who must balance compliance with limited resources. The episode also touches on the learning curve associated with new security tools, noting that many organizations underutilize the tools they purchase. Secor aims to mitigate this by providing user-friendly dashboards, tutorials, and consultations to ensure users can maximize the platform’s capabilities. Finally, the episode addresses concerns about data security and privacy when using a software-as-a-service (SaaS) platform like Secor. The guests acknowledge that organizations may be hesitant to share sensitive information about their systems, networks, and vulnerabilities with a third-party provider. Secor responds to these concerns by implementing industry-standard security measures, such as secure storage, multi-factor authentication, and access controls, to protect user data. However, they admit that they do not currently use advanced techniques like zero-knowledge proofs or homomorphic encryption, which would allow data to be processed without exposing it to the provider. The guests emphasize that Secor minimizes data retention, keeping user data only as long as necessary and destroying it when no longer needed. This discussion highlights the broader tension in the cybersecurity industry between the convenience of SaaS solutions and the need for data privacy and control. The episode concludes by noting that while automation and AI can significantly improve security metrics, they must be used responsibly and in conjunction with human expertise to be truly effective.