Security posture management a huge challenge for IT pros

The understanding, management and protection of an organization's IT assets is fundamental to security. But the practice of security hygiene and posture management (SHPM) is immature at many organizations, leaving them vulnerable to cybersecurity attacks, according to a recent survey from TechTarget's Enterprise Strategy Group. The in-depth survey of 383 IT and cybersecurity professionals responsible for SHPM showed that an eye-opening 76% of organizations have experienced a cyberattack due to a mismanaged internet-facing asset.

As attack surfaces grow and threat actors become ever more sophisticated, enterprise efforts to protect IT assets continue to be uncoordinated and overly reliant on niche tools, spreadsheets and manual processes: 73% of ESG survey respondents, for example, report that spreadsheets are a key aspect of their security hygiene and posture management strategy.

In this Q&A, Jon Oltsik, distinguished ESG analyst and co-author of the survey report, "Security Hygiene and Posture Management Remains Decentralized and Complex," explains why this fundamental and resource-intensive discipline continues to be so challenging for IT and security professionals, and he outlines the steps required to improve SHPM.

Editor's note: The following was edited for length and clarity.

How do you define the discipline of security hygiene and posture management?

Jon Oltsik

Jon Oltsik: Generally speaking, it's understanding the IT assets your organization uses, the state of those IT assets and, if they pose a risk, the management of mitigating that risk.

I've been calling it security hygiene and posture management for a number of years now. If I had it to do it again, I would have called it security posture and hygiene management because the posture aspect is sort of an established standard: How should these assets look to be considered secure? Hygiene is the practice of managing that posture to make sure that as people change those assets, which they do, the assets maintain a secure profile.

What was the motivation for doing this survey?

Oltsik: It dovetailed off a survey we did in 2021. At that point my realization was that with digital transformation, with cloud computing, with the increase in remote workers, we could see IT's influence on the business exploding. Security hygiene and posture management is nothing new -- it's a fundamental practice in security. But my thought was, how do you do this at scale when you're increasing the number of assets all the time and those assets are always changing?

Two years later, what did the new survey reveal about the state of security hygiene and posture management?

Oltsik: It's still problematic. It's still a very siloed practice. And there are absolute correlations between security, hygiene and posture management vulnerabilities and cyber attacks.

We do see some improvement because of innovative tooling changes to the organization, a little bit more ability to scale and to analyze data much better due to cloud resources. But it's still a problem, and it's a problem in small organizations and large organizations.

That more than three-quarters of organizations had experienced a cyber attack due to mismanaged IT assets was unsettling. What other survey results grabbed your attention?

Oltsik: A few things stand out. One is that attack surfaces are continuing to grow. The number of assets in general is also growing, and the amount of time it takes to discover, classify and get a good perspective on those assets is incredible -- it takes multiple people, manual tools and a lot of cooperation among the IT and security organization.

All of that is counterproductive when adversaries are using automated tools and understand our environment sometimes better than we do. That's a very dangerous situation and it's not going away.

Given the current reality, what aspects of SHPM present the biggest challenges for IT and cybersecurity pros?

Oltsik: The first challenge is discovering all of the assets that you have. And while that seems like it would be straightforward, typically the assets are managed by different groups using different tools that are maintained sporadically or periodically versus continuously, and your job as a security professional is to go out and gather that data from everywhere that it exists. That's not easy because it may require permissions from different groups. It may require understanding the data format. You might have data integrity issues where two different systems are telling you different things about the same assets, and somehow you have to piece that together. Understanding ownership is a big challenge -- that came out a lot in our qualitative interviews. "I know that there's an asset out there, I know it's vulnerable, and I know it's exposed, but I have no idea who owns it!"

Once you've discovered all these assets -- a typical enterprise will have hundreds of thousands of assets -- it's not like you'll find two or three vulnerable systems. It's more likely you'll find thousands. As a security professional, you can't turn to the IT team and say, "Here are 2,300 vulnerabilities; go fix them" because they have their own agendas. Sometimes systems can't be taken down in the right time frame, so prioritizing which vulnerabilities need to be addressed first is a really difficult thing to do.

If you had to summarize the challenges of security hygiene and posture management in one word, it's scale. If you have thousands of issues to deal with, what do you deal with first and how do you manage that?

Finally, you have to mitigate those risks. And again, that involves coordination across multiple teams and maybe taking down systems. It might mean patching hundreds of systems. Someone -- or usually groups of people -- have to agree on that. They have to collaborate, coordinate and manage the process. So if you had to summarize the challenges in one word, it's scale. If you have thousands of issues to deal with, what do you deal with first and how do you manage that? That's the state of security hygiene and posture management at large.

According to the survey, 91% of organizations said they are automating SHPM processes to some degree. Doesn't automation help? What about the use of AI systems?

Oltsik: There is a role for automation and AI here: automation in terms of tasks like automated discovery, automated classification, and risk scoring -- which is sort of the intersection of automation and AI -- and even automated response and remediation.

In some cases, however, that's sort of the long straw though because typically IT people and security people don't trust letting systems make changes. And certainly anybody who's blocked access to a system on a false positive has learned a lesson they will own up to for a lifetime. But we have to move forward because there's no way that humans can scale to this challenge.

What should organizations do now to move forward on SHPM?

Oltsik: There's an organizational commitment where, for starters, you have to establish basic hygiene. You want users and especially administrators to use either strong passwords, or better yet, multi-factor authentication.

You want to make sure that systems are deployed in a secure configuration. You want to make sure that software is, to the extent that you can, developed using security best practices. So establish a foundation of security by design, secure by default -- security that's baked in versus bolted.

The second thing you have to do is to centralize. That's easier today than it used to be because there are tools that can plug into the APIs of other tools and centralize a lot of this data. The problem there is it really is an enterprise project. What we tend to see is that organizations do this piecemeal. There's some little pain point they address first. And that's OK if you start there, but you have to establish more of a long-term project.

Another thing is we have to understand that we're talking about security or cyber risk management, not compliance, because there's a checkbox mentality for compliance: "Did you do this? Yes, I did. OK, now I can move on because I've been audited." But that's not security because you can make a change the minute after you've been audited and that may be an insecure change.

According to the survey, organizations are somewhat less apt to see security testing as simply a compliance requirement today and more as a vulnerability and hygiene issue. For example, 45% of residents said they do it to reduce the risk of a ransomware attack.

Oltsik: That's right. And that's a good step.

Another positive trend from other research I've done is that the days of the board and the executives being sort of aloof with information security are mostly gone. The boards get it, the executives get it, and they get it because just about every business initiative these days is a technology initiative.

The more people get it, the more the organization develops a security-by-design philosophy. But security hygiene and posture management is a continuous process and has to be treated as such. You can't just scan every month or every quarter. Another thing is you have to be very open-minded about tooling because there's a lot of innovation out there.

We're at a tipping point with cybersecurity because of the pace of change, the scale of what we're doing with technology, the connectivity between an organization's technology -- their partners, their customers. All of this means we really do need to look at problems differently. That's hard to do. Many of the people who manage cybersecurity now grew up in a different era. There's some technical biases, cultural biases and organizational biases they've lived with that I don't believe are applicable anymore. Security hygiene and posture management requires a different kind of mindset, and I don't see that as universally as I'd like to.

How do you want security professionals to read this survey? What are some of the meaningful actions they can take from the data?

Oltsik: They should compare their internal situations to the data to see how they stack up with others. Really important would be to look at the suggestions security professionals made on improving the situation. Maybe there's some creative ideas they hadn't thought of.

Finally, if they have these issues and aren't getting any kind of response from management, maybe this research can help them move the needle. It's third-party research that says this isn't just an individual problem, this is an industry-wide security issue across the globe.

If nothing else, the fact that 76% of organizations have experienced a cyber attack due to an unknown unmanaged or poorly managed asset should tell them that you'd better get to know those assets and manage them well, because otherwise you're vulnerable.