The Cyber Show Explores Measuring Cybersecurity Effectiveness with Secor

This episode of The Cyber Show explores the challenges and innovations in measuring cybersecurity effectiveness, particularly through the lens of a company called Secor. The discussion centers on whether security can be quantified, how automation and AI might assist in compliance and risk management, and the practical applications of such tools for organizations. The conversation also delves into the ethical use of AI in cybersecurity, the importance of human oversight, and the evolving landscape of security standards and regulations. One of the core topics is the concept of measuring security quantitatively. The guests, Dr. Basil and Ryan Maruga from Secor, argue that security can indeed be measured by evaluating two key aspects: controls (which increase confidence in a system’s security) and vulnerabilities (which decrease it). Controls refer to safeguards like firewalls, encryption, or access policies that prevent or detect threats, while vulnerabilities are weaknesses that attackers could exploit. The company’s approach involves assigning weights to controls and risks to vulnerabilities, creating a matrix that calculates a security assurance score between 0 and 10. This method allows organizations to compare different systems or products objectively, rather than relying on subjective assessments or vendor pitches. For example, a CISO (Chief Information Security Officer) could use this tool to determine whether a new security product is worth investing in by comparing its score against existing solutions. The practical implication is that organizations can make data-driven decisions about security investments, prioritizing fixes that offer the most significant improvement in their security posture for the least cost. Another major theme is the role of AI and automation in security compliance and risk management. The guests emphasize that while AI can assist in processing large volumes of data—such as security policies, risk assessments, or compliance standards—it should not replace human judgment. AI can automate tasks like reading reports, suggesting controls, or generating test plans, but a human must ultimately review and approve these recommendations. This 'human-in-the-loop' approach ensures that decisions are not solely reliant on algorithms, which may lack context or nuance. For instance, AI might suggest a control based on a standard like ISO 27001, but a security expert would need to determine whether that control is appropriate for the organization’s specific environment. The episode also highlights the potential pitfalls of overhyping AI, noting that many companies claim to offer fully AI-driven security solutions, which may not yet be feasible or reliable. Secor’s approach is more measured, using AI to streamline workflows while keeping humans involved in critical decisions. This balance is particularly valuable for small and medium-sized enterprises (SMEs), which often lack the resources to manually manage compliance but still need robust security measures. The discussion also covers the challenges of navigating multiple security standards and the complexity of modern IT environments. Organizations often must comply with several standards simultaneously, such as GDPR for data privacy, ISO 27001 for information security, and industry-specific regulations like those for healthcare or nuclear power. These standards can overlap or even contradict each other—for example, one standard might require an 8-character password while another demands 15 characters. Secor’s tool addresses this by allowing users to combine multiple standards into a single security assurance profile, identifying overlaps and conflicts. This feature helps organizations avoid redundant controls and focus on the most critical requirements. The tool also provides a mitigation plan, showing how much a specific fix will improve the security score and its associated cost. This is particularly useful for budget-constrained organizations, as it allows them to allocate resources efficiently. For example, a CISO could see that investing in a particular control would boost their security score from 7 to 9, while another fix might only improve it marginally. The practical application here is that organizations can prioritize security improvements based on measurable outcomes rather than guesswork. A critical concern raised in the episode is the security and privacy of the data collected by such tools. Since Secor’s platform evaluates an organization’s entire IT infrastructure, it handles sensitive information about vulnerabilities, configurations, and compliance status. The guests acknowledge that this data is a 'toxic asset'—valuable to attackers if compromised—and outline their security measures, such as encryption, multi-factor authentication, and adherence to standards like Cyber Essentials and OWASP. However, they admit that they do not use advanced techniques like zero-knowledge proofs or homomorphic encryption, which would allow data to be processed without exposing it. The episode underscores the tension between convenience and security, noting that while software-as-a-service (SaaS) models are popular, some organizations may prefer to run tools locally to retain full control over their data. This highlights a broader challenge in cybersecurity: balancing the need for automation and ease of use with the imperative to protect sensitive information. Finally, the episode touches on the rapid pace of change in the cybersecurity landscape and how tools like Secor’s can adapt. New threats, regulations, and technologies emerge constantly, making it difficult for organizations to stay compliant and secure. Secor addresses this by allowing users to update their security assurance profiles with new standards or vulnerabilities as they arise. The tool is designed to be flexible, accommodating everything from NIST frameworks to industry-specific requirements. This adaptability is crucial for organizations operating in dynamic environments, such as those affected by geopolitical risks or supply chain attacks. The guests also emphasize the importance of user education, noting that even the best tools are ineffective if users don’t understand how to leverage them fully. Secor provides tutorials and consultations to help users maximize the platform’s potential, ensuring that it remains a practical solution rather than just another underutilized tool.