As we talk to and work with our customers and prospects it becomes clear that they have critical security questions they know they need to answer. They often just don’t know how to get there, or where to start. These questions come from their managers, boards, clients or regulators and they tend to vary by role, but generally can be grouped as follows:
- What is my enterprise cyber risk profile?
- Which applications contribute the most risk?
- What are the most critical vulnerabilities we are exposed to?
- Are there any obvious trends and patterns of vulnerabilities that we need to be aware of?
- What is the best/fastest way to minimize our risk?
- How quickly can we find and fix vulnerabilities?
Development Manager/Application Stakeholder
- What is the risk profile of my application?
- How does my application compare to others in terms of risk profile?
- How quickly do we find and fix vulnerabilities?
- How efficient are the SAST, SCA and DAST tools we are using?
- What happened over time that affected my risk?
C-suite executives are asking these questions because of new, stronger regulations as well as their boards, who are now much more engaged in this conversation than ever before. The increase in high-profile data breaches and the reputational damage these can cause present real concerns for leadership. Gartner estimates that by 2020, 100% of large enterprises will be asked to report to their board of directors on cybersecurity and technology risk at least annually. This represents an increase from 40% in 2016. This statistic may in fact be conservative—we know that these conversations are sometimes occurring as frequently as quarterly (and frankly, we feel they should).
Regarding “they don’t know how to get there,” another trend we’re seeing from organizations who turn to CYBRIC is that they have tried the do-it-yourself approach of continuous, embedded security. But DIY is not easy, requires a lot of resources, and building and maintaining an extensive, integrated and dynamic platform is not their business’ core competency. This then becomes a “buy” versus “build” conversation.
A Holistic View of Application Security Risk
The enhanced capabilities of the CYBRIC Continuous Application Security Platform streamline and simplify what organizations are trying to build themselves, or know they need to implement. CYBRIC orchestrates and automates code, container and application scans of various components of the stack. We provide a holistic view of the application stack from a security and risk perspective. We collect all vulnerability data, normalize it, deduplicate it and provide visibility via the CYBRIC dashboards into vulnerabilities and risk at different levels:
- Enterprise: aggregated enterprise risk; applications and targets that contribute the most risk; vulnerabilities most exposed; security coverage across the application ecosystem
- Application: application risk; detection and remediation KPIs; correlation of static and dynamic issues; compliance to benchmarks like OWASP Top 10; historical trends in vulnerabilities, detections and remediations
- Target: vulnerability trends and distribution by severity; comparison matrix for understanding the effectiveness of the various scanning tools
As you can see, we’ve really thought about the level of insight and information different roles within organizations need because we are first and foremost security and application development practitioners. We know what questions are being asked from development to the C-suite and board and have architected our platform to abstract this information into consumable and actionable intelligence. And our customers are validating this. According to Rob Strechay, SVP of Product at Zerto, ““CYBRIC gives us full and continuous visibility across our dynamic development landscape and a higher level of confidence in our security posture.” You can read more of the Zerto case study, as well as other customer stories, here.
If you’d like a more in-depth conversation about how the CYBRIC Continuous Application Security Platform can provide you with complete continuous visibility into your application security risk, feel free to reach out.