How to Calculate Security Posture

Originally published by Normalyze.

Written by Vamsi Koduru.

To many, data security posture can seem like an abstruse concept that’s difficult to understand, much less quantify. But by developing a clear methodology and breaking the process down into measurable steps, data security teams can provide clarity into their organizations’ data security posture—and identify potential threats and vulnerabilities before issues arise.

How is Security Posture Measured?

Security posture is measured by creating a methodology to evaluate an organization’s overall cybersecurity strength and resilience. By considering data security policies, controls, procedures, and mechanisms in place, and the threats and vulnerabilities they aim to protect against, you can identify insights into the effectiveness of your security measures.

The challenge of how to calculate security posture is the breadth of the problem.

Components of Security Posture

To comprehensively understand and measure security posture requires consideration of a number of topic areas:

• Risk Assessment and Management
• Security Audits and Assessments
• Compliance Monitoring
• Security Metrics and KPIs
• Security Awareness and Training
• Access Control and Identity Management
• Security Technologies and Tools
• Incident and Breach Metrics
• Network Security
• Data Backup and Recovery
• Third-Party Risk Management
• Threat Intelligence and Analysis

Frameworks of Security Posture Measurement

And there exists a wide-ranging set of frameworks to address security posture measurement across these topic areas:

• NIST Cybersecurity Framework (CSF)
• ISO/IEC 27001
• CIS Critical Security Controls
• COBIT (Control Objectives for Information and Related Technologies)
• ISO/IEC 27002
• CSA Cloud Controls Matrix (CCM)
• PCI DSS (Payment Card Industry Data Security Standard)
• HIPAA Security Rule
• MITRE ATT&CK Framework
• FAIR (Factor Analysis of Information Risk)
• GDPR (General Data Protection Regulation) Compliance Framework

If you’re using one of the above frameworks and it’s working well and providing metrics against which you can measure improvements in your security posture, congratulations. It likely means your security program is mature.

But with the ongoing changes in IT infrastructure and the security landscape and incomplete adoption of new technologies like DSPM that address their security terms, we find that many of the IT teams we talk to are still struggling to get a grasp, and specifically a measurable grasp, on their security posture.

Six Steps to Calculate Security Posture

For those organizations, we recommend a crawl, walk, run approach that focuses on the fundamentals and establishes a measurable baseline that you can improve iteratively over time.

Here is a template your team can model to gain a comprehensive understanding of your organization’s data security status with metrics against which you can measure improvement.

1. Discovery and Classification of Data

• Data Discovery: A comprehensive inventory of all data assets, including databases, files, and applications, is the foundation of any measure of security posture. For operational effectiveness, it should be automated and continuous, and it should cover all data stores in your organization, including SaaS, PaaS, public, multi-cloud, on-prem, and hybrid environments, as well as abandoned data stores, copilots, and LLMs.
• Data Classification: An important part of discovery is the categorization of the data based on its sensitivity and importance, so you understand the difference between critical (sensitive and high-value) data such as PII, customer, or medical records and public non-sensitive data.

2. Conduct a Risk Assessment

• Identify Threats and Vulnerabilities: Determine potential threats to data security, such as cyber-attacks, insider threats, and natural disasters. Identify vulnerabilities that could be exploited.
• Analyze Impact and Likelihood: Assess the potential impact and likelihood of each identified threat and vulnerability. This helps prioritize risks based on their severity.
• Calculate the Value of Data at Risk: Multiplying the number of records of each type of sensitive data by the value of that record type (based on publicly available data on the cost-to-handle per breached record) gives you the calculated value of each set of data in your data stores.
• Identify User Risks: Evaluate access control configurations – resource hierarchies, service account decision trees, IAM roles, individual resource level policies, etc. – to get a simple, accurate view of access privileges for all data stores. Enforce the principle of least privilege to reduce access for users and roles to the minimum level required.

3. Evaluate Existing Security Measures

• Review Policies and Procedures: Examine current security policies, procedures, and practices to ensure they align with best practices and regulatory requirements.
• Assess Technical Controls: Evaluate the effectiveness of technical controls, such as firewalls, encryption, access controls, and intrusion detection systems.
• Address Risk Priorities: Combining the risk assessment measures described above tells you how much data you have at what level of risk, which is a measure you can track over time and drive down by addressing the highest-priority risks to the most valuable data.

4. Conduct Security Audits and Penetration Testing

• Perform Security Audits: Regularly conduct internal and external security audits to identify gaps in security controls and compliance with standards. DSPM tools should automate audits against the leading compliance frameworks, like NIST-CSF, CIS, HIPAA, and GDPR, and generate reports showing which controls are failing so that issues can be addressed.
• Penetration Testing: Penetration tests that simulate real-world attacks and identify weaknesses in the system that could be exploited by attackers give additional insights into security posture.

5. Analyze Security Incidents and Logs

• Review Security Logs: Analyze security logs and events to detect any suspicious activities or patterns that could indicate potential security incidents.
• Incident Response Analysis: Evaluate past security incidents to understand their causes, impacts, and the effectiveness of the response. Measure the number, types and severities of issues found and benchmark your progress in addressing critical issues.

6. Implement Continuous Monitoring and Improvement

• Continuous Monitoring: Implement continuous monitoring of security controls and systems to detect and respond to threats in real time. DSPM tools can be used to identify and report anomalous activity in real time, so that your response team can investigate and address issues.
• Regular Updates and Patching: Ensure that all software, systems, and security tools are regularly updated and patched to protect against known vulnerabilities.
• Ongoing Training and Awareness: Conduct regular training and awareness programs for employees to ensure they understand security policies and recognize potential security threats.