Security being an inherently defensive practice can make it difficult to quantify how well you are performing. Security is intangible, it is about the absence of something. You don’t know that you prevented an attack just by the fact that it hasn’t happened. This means people’s relationship to their security is often binary, everything is fine until it isn’t: hacked or not hacked; data safely inside or leaked out. So, how do you answer the question: “are we secure?”.
At Cadency we just like to use ‘bar’.
Your security bar is not a quantitative measurement, it is an objective assessment by your engineering team of how you would withstand an attack. The most important part is always to be raising it. Attacks change, infrastructures change and development tools change. Your Security will always need to be in a constant state of tuning and improving.
When a good security engineer sees an environment for the first time they will likely start to pull it apart, working through how they can break it. Running an exercise like this is a good way to establish your bar: firstly how easy is it for an external attacker to get a foothold in your network? The reality is that it is quite easy; now, this is where the defence starts. Would you be able to detect this happening? How easy would it then be to move around your network without being detected? Are your networks segmented? Where is your most valuable data and what is the bar to access it. How high is the bar for them to use their foothold and rip through your environment, how can you slow them down?
Cadency was founded with a belief that engineering is how you improve your security, not with checklists or expensive appliances. And, we believe the best way to be secure is for an engineering team to always be raising their security bar. We understand that the reality for most companies is that they start small and grow quickly, they build things that were never meant to last with small teams who need to deliver quickly. Infrastructure evolves and is iterated on, we don’t tend to throw out the old unless it is absolutely necessary. Work will always need to be done to improve the existing infrastructure and will always need to be done to keep up with change. This is where you need to raise the bar.
Originally published on the Cadency blog