The Cyber Show Explores Measuring Cybersecurity Effectiveness with Secor

This episode of The Cyber Show explores the challenges and innovations in measuring cybersecurity effectiveness, particularly through the lens of a company called Secor (pronounced 'Secor' in Norway). The discussion centers on whether security can be quantified, how automation and AI might assist in compliance and risk management, and the practical applications of such tools for organizations. The guests, Dr. Basil, a professor of information security, and Ryan Maruga, a business development manager at Secor, share insights into their company’s approach to security metrics, the role of AI in security planning, and the difficulties of navigating compliance standards. One of the core topics is the concept of measuring security quantitatively. The guests argue that security can be assessed using a structured framework that balances positive controls (such as security measures and compliance with standards) against negative factors (like vulnerabilities and risks). Secor’s methodology assigns weights to these factors, creating a normalized score between 0 and 10 to represent a system’s security assurance level. This approach draws parallels to software engineering metrics, where complexity and test coverage are used to gauge quality. However, security metrics are more nuanced, as they must account for dynamic threats, varying risk appetites, and overlapping compliance requirements. The practical implication is that organizations can use such tools to compare security products, identify gaps in their defenses, and prioritize investments based on measurable improvements to their security posture. For example, a CISO could determine whether investing in a specific control would yield a higher security score than addressing another vulnerability, helping allocate limited budgets more effectively. Another key topic is the role of AI and automation in security compliance. The guests emphasize that while AI can assist in processing large volumes of data—such as policy documents, risk assessments, and compliance standards—it should not replace human decision-making. Secor’s platform uses AI to suggest high-level security qualities and generate test plans, but the final evaluation and mitigation strategies require human oversight. This 'human-in-the-loop' approach ensures that recommendations are contextually relevant and aligned with an organization’s specific needs. The episode also critiques the overuse of the term 'AI' in cybersecurity marketing, noting that many products claim to be fully AI-driven but lack transparency or ethical safeguards. Secor’s approach is positioned as more grounded, leveraging AI for efficiency without overpromising autonomy. For organizations, this means faster compliance assessments, reduced paperwork, and the ability to benchmark against multiple standards simultaneously. However, the guests acknowledge that AI is not yet capable of fully autonomous security evaluations, and over-reliance on it could introduce new risks. The discussion also delves into the challenges of compliance and the complexity of navigating multiple security standards. Organizations often struggle with overlapping or conflicting requirements from different frameworks, such as GDPR, ISO 27001, or industry-specific regulations. Secor’s platform addresses this by allowing users to combine multiple standards into a single security assurance profile, identifying redundancies and contradictions. For instance, one standard might require an 8-character password while another mandates 15 characters; the tool highlights such discrepancies and helps organizations prioritize the most stringent controls. This is particularly valuable for small and medium-sized enterprises (SMEs), which may lack the resources to hire dedicated compliance teams. The practical application here is that organizations can streamline their compliance efforts, reduce audit fatigue, and ensure they meet the most critical requirements without unnecessary duplication. A critical concern raised in the episode is the security and privacy of data collected by such platforms. Since Secor’s tool evaluates an organization’s entire security infrastructure, the data it processes could be a prime target for attackers. The guests explain that Secor follows industry-standard security practices, such as secure storage, multi-factor authentication, and adherence to frameworks like Cyber Essentials and OWASP Top 10. However, they acknowledge that they do not currently use advanced privacy-preserving techniques like zero-knowledge proofs or homomorphic encryption, which would allow data to be processed without exposing sensitive details. This highlights a broader tension in the cybersecurity industry: while SaaS (Software as a Service) models offer convenience, they also centralize sensitive data, creating potential single points of failure. The episode underscores the importance of minimizing data retention and ensuring robust access controls, though it also notes that some organizations may eventually prefer to run such tools locally for greater control. Finally, the episode touches on the broader implications of security metrics and automation for the cybersecurity profession. The guests and hosts discuss the learning curve associated with new tools, noting that many organizations underutilize the capabilities of their security software. Secor aims to address this by providing user-friendly dashboards, tutorials, and consultations to help CISOs and security teams maximize the tool’s potential. The conversation also explores the ethical use of AI, emphasizing that automation should augment human expertise rather than replace it. For example, AI can quickly analyze compliance documents and suggest controls, but a human must validate those suggestions and tailor them to the organization’s unique environment. The episode concludes by stressing that while tools like Secor can make security more measurable and efficient, they are not a substitute for skilled professionals who understand the nuances of risk management and compliance.