Security teams often have tools out there that are either not being used much at all or are deploying them in a way that makes them not much use to security operations. This often happens when security teams focus on the wrong KPIs — maybe focusing on coverage percentage rather than security outcomes, according to Michalis Kamprianis, director of cybersecurity for Hexagon Manufacturing Intelligence.
“What is missing is a proper governance structure that will evaluate the security programs’ outcome based on the pre-defined criteria of risk reduction and security improvements, rather than pure numerical measurements of things that have no value,” he explains. “As an example, most projects start with a plan to cover a percentage of the environment, such as ‘We need to deploy EDR to 99% of the endpoints.’ This target can be explained, measured, and communicated to the business in an indisputable manner. Nevertheless, from the security perspective this doesn’t say anything.”
EDR is a great example, agrees Duff, who says that many security departments linger in a state of underutilization by sticking in ‘detect only mode.’ “Almost every EDR vendor comes in detect only mode because they don’t want their users to deploy a solution and immediately run into a bad user experience being locked out. So then what happens is they get left in detect mode and they’re not actually protecting you. We can’t be having that because now you’re buying the tool for one thing and it’s doing something else.”
