The Cyber Show Explores Measuring Security and the Role of AI in Compliance

This episode of The Cyber Show explores the challenges and innovations in measuring security, particularly through the lens of a company called Secor (pronounced 'Secor' in Norway). The discussion centers on whether security can be quantified, how automation and AI might assist in compliance and risk management, and the practical applications of these tools for organizations. The conversation also touches on the ethical use of AI in cybersecurity, the difficulties of comparing security products, and the importance of balancing automation with human oversight. One of the core topics is the concept of measuring security and whether it can be quantified in a meaningful way. The guests, Dr. Basil and Ryan Maruga from Secor, argue that security can indeed be measured by evaluating two key aspects: controls (which increase confidence in security) and vulnerabilities (which decrease it). They explain that traditional methods of assessing security often rely on qualitative checklists, where organizations manually verify compliance with standards like ISO 27001 or GDPR. However, this approach can be subjective and time-consuming. Secor’s methodology introduces a quantitative framework that assigns weights to controls and risks to vulnerabilities, allowing for a more objective comparison between systems. For example, a control like multi-factor authentication might be given a higher weight because it significantly reduces risk, while a minor vulnerability might have a lower risk score. The result is a normalized security assurance score between 0 and 10, which helps organizations prioritize improvements. This approach is particularly useful for small and medium-sized enterprises (SMEs) that lack the resources to conduct extensive manual assessments. By automating parts of the evaluation process, Secor aims to make compliance more accessible and actionable, helping organizations identify gaps and allocate budgets more effectively. Another major theme is the role of AI and automation in security planning and compliance. The guests emphasize that while AI is often overhyped, it can play a valuable role in streamlining security assessments. For instance, AI can process large volumes of documents—such as security policies, risk assessments, and compliance standards—to generate high-level security requirements. It can also suggest specific tests or evidence needed to verify whether a control is properly implemented. However, the guests stress that AI should not replace human judgment entirely. Instead, it should act as an assistant, providing recommendations that security professionals can review and refine. This 'human-in-the-loop' approach ensures that decisions remain grounded in expertise rather than blindly trusting AI outputs. The episode also highlights the potential for AI to automate technical testing, such as running vulnerability scans or verifying configurations, which can save time and reduce human error. However, the guests caution that fully autonomous security systems are not yet feasible, as the technology lacks the nuance and adaptability required for complex security decisions. The practical implication here is that AI can enhance efficiency but must be used responsibly, with clear boundaries and oversight. The discussion also delves into the challenges of comparing security products and the limitations of traditional sales methods in cybersecurity. Many organizations rely on relationships with vendors, often choosing products based on trust or marketing rather than objective performance. Secor’s tool aims to address this by providing a standardized way to compare products based on their security assurance scores. For example, a CISO can evaluate multiple solutions side by side, seeing how each one performs against the same set of controls and vulnerabilities. This reduces reliance on vendor claims and helps organizations make data-driven decisions. The guests also note that security standards can vary widely, with some even contradicting each other (e.g., password length requirements). Secor’s platform allows users to combine multiple standards into a single evaluation, identifying overlaps and conflicts. This is particularly useful for organizations in regulated industries like healthcare or nuclear power, where compliance with multiple frameworks is often required. The practical takeaway is that tools like Secor can help organizations cut through the noise, focus on what truly matters, and avoid redundant or conflicting controls. A critical concern raised in the episode is the security and privacy of the data collected by such tools. Since Secor’s platform evaluates an organization’s entire security posture—including vulnerabilities, configurations, and compliance gaps—the data it processes is highly sensitive. The guests acknowledge this risk and explain that Secor follows industry-standard security practices, such as encryption, access controls, and multi-factor authentication, to protect user data. However, they admit that the company does not currently use advanced techniques like zero-knowledge proofs or homomorphic encryption, which could further anonymize or secure data. The episode underscores the broader tension in the cybersecurity industry: while software-as-a-service (SaaS) models offer convenience, they also create potential attack surfaces. The guests suggest that future iterations of the tool might allow for local processing, where organizations can run evaluations on their own infrastructure to minimize exposure. This highlights a key dilemma for cybersecurity tools—balancing usability with security—and the need for transparency about how data is handled. Finally, the episode addresses the rapid pace of change in the cybersecurity landscape and how tools like Secor can adapt. The guests note that new regulations, threats, and technologies emerge constantly, making it difficult for organizations to stay compliant and secure. Secor’s platform is designed to be flexible, allowing users to add or update standards and vulnerability databases as needed. For example, if a new supply chain attack becomes prevalent, the tool can incorporate relevant controls to address it. The guests also mention ongoing research into integrating frameworks like NIST and MITRE ATT&CK to keep the platform current. This adaptability is crucial for organizations that must comply with evolving regulations or respond to emerging threats. The practical implication is that security tools must be dynamic, not static, to remain effective in a fast-changing environment.