Get My Score


Black Hat 2018

Everything CISO and Cybersecurity During Black Hat 2018

Black Hat celebrated its 21st anniversary this year, bringing together over 15,000 cybersecurity professionals to learn and network in Las Vegas.  At the Cavirin booth, people flooded to get their “Got CyberPosture” t-shirt and learn how the Cavirin CyberPosture Intelligence platform provides “credit like” scoring, with actionable insights, helping enterprises align their security resources to more effectively address pressing threats of cyber attacks in their hybrid environments (multi-cloud, containers, and on-premise). 

Additionally, BrightTALK was at the heart of the action, streaming live panel sessions and engaging in conversations with some of the world's top security leaders. These panels offer a collaborative atmosphere, enhanced by speaker presentations and insights. Cavirin’s CSO, Joe Kucic participated in two of the thought-provoking panels:  Key Factors for CISO Success & Managing Your Cyber Risk!  If you were unable to join us in Vegas, we highly recommend tuning into these two panels available on the BrightTALK website. Here is a little more information about the webinars: 

The Key Factors for CISO Success was a Part 1 of 2 CISO panels during Black Hat. This panel was an in-depth focus on the ever-changing role of the CISO and the factors influencing their success. There was also a focus on why identifying your organization’s security culture matters. With the huge shift to cloud services, CISOs are needed to recruit, develop, and retain strong security talent.  Today’s cyber threats and the introduction of the hybrid cloud is forcing CISO’s to build a new arsenal of talent and tools to accommodate its present complexity. Kucic believes that CISO’s are beginning to adapt the continuous security model to address the frequency and acts of today’s threats.  CISO’s are required to know what their levels of exposures are based on different assets. Further, they must be able to prioritize the remediation actions that help improve the overall security posture of an organization.  Taking that data and being able to present it to leadership is key for a CISO’s success.   Lots more great insight from Joe and other members of the panel: Mark Weatherford (vArmour), Azi Cohen (WhiteSource) and Mark Whitehead (Trustwave).

The second panel that Cavirin’s CSO, Joe Kuicic, was featured on was Managing Your Cyber Risk lead by ITSPmagazine, based on detecting and responding to threats within your organization. This panel was a Q&A based around managing security risk. The key takeaway was that every company has it whether they want to acknowledge it or not. Kucic says that “risk management has evolved to be a business enabler, a differentiator if they do it right.  It allows companies to move quicker with technologies and go to market faster than their competitors if they look at it the right way and not just as a compliance requirement”. Continuous visibility is important because risks and breaches are ongoing and not just a single occurrence.  Finally, he adds that remediation and mitigation are things that companies continue to struggle with today.  Both webinars are available on BrightTALK for free! Tune in for the full coverage.

Overall, Cavirin’s participation at Black Hat was awesome due to the relationships built, conversations enjoyed, and insights gained this year. To continue the BH momentum, if you want to see a demo of our CyberPosture Intelligence Platform, This email address is being protected from spambots. You need JavaScript enabled to view it.!  We would love to keep the connections going! We even might be able to get you the hot “Got CyberPosture” t-shirt.  See you soon.


vote tampering


Looking ahead to this fall’s elections, I won’t dwell on the ‘who’, be it Russia, China, North Korea, or someone closer to home, but some entity, somewhere, will  ‘meddle’, and the best we can do is to minimize the impact. 

 We’ve read that the Russians have moved beyond simple (ok… not so simple) vote tampering, and social networks are old hat.  So what can we control?

The very integrity of the data, an assurance that what is stored within the enterprise or in the cloud is unaltered;  has not been tampered with.  Here is where cloud security comes into play.

Over the past few years, we’ve witnessed way too many instances of data stored in the cloud compromised, including marketing data, political party data, health records, etc.     With the rush to the cloud, pressures from our CFOs, and a bit of groupthink, we’ve become sloppy.  The same precautions we’ve taken for our on-premise data centers – access controls, both internal and external, encryption, and even record keeping – some of us have forgotten, with negative impacts that shouldn’t be a surprise.  But posting the data across the internet is only the first salvo.  Hackers now have the tools to alter the data at-rest, and without proper checks in place, the source of truth becomes elusive. But the solution is not difficult, and doesn’t require a string of esoteric certifications.  Just common sense.

The public cloud providers offer a number of services designed to monitor your accounts – your controls, services, and applications – while at the same time providing notifications if something is amiss.  In parallel, software vendors like Cavirin offer powerful security tools that pick up where the cloud provider leaves off.  Cavirin provides real-time visibility and remediation of hybrid infrastructures so that governments can identify gaps in their defenses and take immediate action to more effectively address pressing threats they might/will face.

As part of making your move to the cloud, understand your exposure and the tools available, both CSP and 3rd party, to mitigate.  And put in place and execute a plan before moving any critical workloads or data to AWS, Azure, Google Cloud, etc.  Looking forward to November, this should serve as a call-to-action.

In the same way that GDPR forced the privacy issue, and even in the US had a positive impact such as the CCPR in my home state of California, we can take it upon ourselves to make sure that our clouds are in order… are secure and free from tampering.  We’re at 90 days, so put in place a plan!


Cybersecurity Scoring Blog Series

This is the second in five-part blog series designed to help your organization understand and leverage your own cybersecurity scoring posture--the first blog Introduced you to CyberPosture Scoring. Over the course of the series, we will present the concept of cybersecurity posture along with a framework and an approach to calculate your overall posture score.  

Comparing Cyber Security Posture Scoring to Cyber Security Risk Scoring

 When building a cybersecurity program to defend your digital assets, the plan should be developed by assessing three critical aspects:

  • Step One: What assets are you trying to protect?

Identifying the systems, applications, data, business processes and end-users that need to be protected

  • Step Two: What are the risks?

Determining through cyber risk scoring which assets are left open to cyber-attacks, and the impact of each system going offline and/or leaking data

  • Step Three: How well are you protected?

Documenting the controls in place to protect the assets and the strength of those controls by using CyberPosture scoring

Many security-mature businesses adequately address Step One, identifying the assets to be protected. And a variety of methods and tools have been around a long time for Step Two, determining the risks. But in our discussions with clients, we find that many have not taken that important Step Three, finding out just how well they are protecting the things that matter to the business by using posture scoring. 

An Overview of Risk Scoring

An important part of going through all three steps is gaining an understanding of how CyberPosture scoring compares to cyber risk scoring. When conducting cyber risk scoring, you analyze what could go wrong. You first take an inventory of your systems, applications, data, business process, and end users (Step One) and the role they play in allowing you to run the business. Then you assess their weaknesses and vulnerabilities:

  • What systems can be hacked and taken offline?
  • What data can be stolen, leaked or changed?
  • Can private information or intellectual property be lost or stolen?

Risk scoring combines the extent of the weakness and the value of the asset. The assessment requires an understanding of the CIA triad (confidentiality, integrity, and availability), which measures the business impact of an asset that’s taken down or experiences a data breach. Those that play a critical role in running the business and lack sufficient cybersecurity mechanisms will score as a high risk. Those that aren’t mission-critical, and those with few weaknesses and/or with limited exposure, will score as a low risk.

Using a scoring system for each asset—which may be as simple as Red-Yellow-Green, or as granular as a scale of 1-100 - allows IT to prioritize which risks to address first. By having a risk scoring method and system, IT can also more easily communicate the overall level of risk for assets to the business leaders. This is particularly important when additional resources need to be purchased to address those risks!

Risk Scoring Leads to Posture Scoring

The risk scoring process then drives the compensating security controls that will be deployed to address the vulnerabilities and weaknesses, to reduce their exposure, and to ultimately mitigate the risks. These may be a combination of hardware and software systems as well as corporate policies that govern end-user activities when utilizing company devices. It could even include end-user awareness training to minimize the impact humans can have on the systems, data, and surrounding processes.

After the compensating policies and controls are in place, the cybersecurity posture scoring then comes into play to determine how strong those controls are in mitigating the risks. It’s essentially a reassessment of the IT environment to see how strong it is in defending against potential threats. As with risk scoring, posture scoring can be based on a three-color scheme or a wide-ranging numbered scale.

The leading cybersecurity posture platforms generate results that are comprehensible to personnel with minimal cybersecurity training. The results represent the strengths of the compensating controls in order to adequately drive prioritized action plans for upgrading or replacing inadequate controls.

The scoring results are based on industry-standard cybersecurity frameworks. In addition, they incorporate all the risk signals that an organization is aware of and then compare those risks to the controls in place to mitigate the risks.

Cybersecurity posture scoring can also be integrated with other security management applications. This makes it possible to incorporate risk signals added in the future to ensure your security controls keep pace with new threats.

An On-Going Scoring Process

As your cybersecurity posture score increases, your cybersecurity risk score will decrease. Ideally, you want to find a balance of controls that justifies the investment in hardware and software and returns the required digital-asset protection value. The two-pronged risk/posture scoring process also needs to be conducted on a recurring basis as new business processes are introduced creating more exposure and new cyber threats emerge, creating new risks that current controls cannot mitigate.

In the blogs that that follow, we will present the basic elements of a posture scoring framework, how cyber security posture scoring works, and how to get started with scoring your cybersecurity posture - including what you need to do to prepare before you can start scoring. 

In the meantime, should you have any questions or need help generating a cyber security posture score for your organization, visit or contact Cavirin to speak with one of our security posture scoring professionals.



Cybersecurity Scoring Blog Series

To help your organization understand and leverage a cybersecurity scoring posture as part of our overall information security management program, you will find this first in the five-part blog series the jump-start you need. Over the course of the series, we will present the concept of a cybersecurity posture along with a framework and an approach to calculate your overall posture score.

  1. Introduction to CyberPosture Scoring
  2. Cybersecurity Posture Scoring vs Risk Scoring

Cyber Security Posture Scoring: How Strong Are Your Controls?

For many years, security frameworks have presented a common methodology for assessing cybersecurity risks. Recently, frameworks have begun to emerge as a way to also assess an organization’s cybersecurity posture—a measurement of the strength of the deployed controls that are meant to protect the digital infrastructure. 

One way to understand the difference between a risk assessment and a posture assessment is to consider the case of a major city located on the coastline. A risk assessment can identify the extent to which the city harbor is susceptible to storm surges and flooding. In reaction to that assessment, the city might choose to install offshore barriers. 

A posture assessment would then measure just how effective those barriers are in defending against potential storm surges and floods. The stronger the barriers, the lower the risk becomes in future assessments.

The Key Attributes of a Cyber Posture Scoring Platform

While generating an overall cyber security posture score is important, the platform you utilize should also include attributes that allow you to put that score to good use. This includes making the results comprehensible to personnel with minimal cybersecurity training. The results must also be meaningful and represent the strengths of the risk controls in order to adequately drive prioritized action plans starting at the board and executive level, working its way down to the security operations center and the security analysts. 

The scoring results provided by the leading cybersecurity scoring platforms are based on industry-standard cybersecurity frameworks. They are also comprehensive—incorporating all the risk signals that the organization is aware of, and then comparing those risks to the controls in place to mitigate the risks. 

Leading solutions also provide extensibility to integrate cybersecurity posture scoring with other security management applications. In addition, you can incorporate risk signals added in the future to ensure your security controls keep pace with new threats.

The Benefits of Cyber Posture Scoring

While risk assessments are meant to help you lower your risk score, control assessments are meant to help you raise your cyber posture score. The higher the number, the better your security posture. By applying cyber posture scoring, organizations reap several benefits:

  • Measures the efficacy of the information security and compliance programs for the enterprise.
  • Creates a better understanding of the security and compliance posture, and how to address important concerns.
  • Compares internal security and compliance controls against the most common threats.
  • Produces a benchmark to compare security performance against industry peers and competitors.
  • Facilitates communication of cybersecurity reports with executives by explaining security program effectiveness within the business context.
  • Provides additional guidance to help reduce and mitigate cybersecurity risk.
  • Generates machine learning insights to enable proactive measures against risk-inducing behaviors.

In the blogs that follow, we will compare and contrast posture assessments vs. risk assessments, the basic elements of a posture scoring framework, how cyber security posture scoring works, and how to get started with scoring your cybersecurity posture—including what you need to do before you can start scoring. 

In the meantime, should you have any questions or need help generating a cyber security posture score for your organization, visit or contact Cavirin to speak with one of our security posture scoring professionals.





ciso challenges 2018


Instituting Solid Security Standards in Tough Times

The modern Chief Information Security Officer (CISO) faces myriad challenges as he or she strives to protect company data, meet regulatory requirements, and spread security awareness. Their mission to institute solid security standards is often hampered by a lack of readily available talent and a limited budget.

It’s a difficult, often thankless task, but resourceful CISOs with the right strategy, support, and tools can prevail. 


A Varied Role

The lack of a common, widely agreed upon definition of a CISO’s job muddies the waters considerably. The first wave of CISOs were often tasked with defining the role as they worked and there are still major differences in the responsibilities bestowed by different organizations.

First and foremost is the need to manage security and protect data, but many CISOs are also now expected to help build security into the infrastructure and train the workforce to be vigilant.

With the mass adoption of cloud services and the proliferation of complex hybrid environments, exacerbated by the rise of the IoT, the virtual office, and shadow IT, CISOs really have their work cut out for them.  A difficult job that requires synergy with various departments is fast-becoming more difficult.

CISOs must recognize potential threats and evangelize for the security cause to secure the budgets and cooperation they need to be successful.


Spreading Awareness

As cloud adoption continues to gather pace and organizations look for safe ways to migrate vast amounts of data, some security risk is inevitable. Perhaps the single greatest action CISOs can take to combat and mitigate that threat is to train the workforce and advance security awareness. After all, Gartner suggests that through 2022, at least 95 percent of cloud security failures will be the customer’s fault.

CISOs must develop a set of policies that enumerate precisely what action employees need to take when an incident occurs, whether it’s a suspected breach, a malware infection, or something else. Embrace the reality that people make mistakes and focus on how to deal with errors to swiftly correct them and minimize their potential impact.

Every employee should regularly complete a constantly evolving security training program that reflects the latest threats. It’s not enough to tick the completion box and move on; employees also need to be tested to ensure they are following policies. When people fail, further training is required.


Providing Proper Support

When CISOs were asked about their concerns for this year by the Ponemon Institute most of them named “lack of competent in-house staff” as their primary worry. There’s a dearth of experienced security professionals and this often leads to people being promoted from unrelated departments and training up in the job. Mistakes are the inevitable consequence.

To help support these security fledglings, CISOs can deploy supportive tools and software that offer an accessible overview of their organization’s cyber posture. (Know what is your CyberPosture Score.)
Automated alerts that highlight potential security issues, alongside clear advice on how to meet security standards and adhere to regulatory requirements can elevate the performance of inexperienced employees.
By conducting a full analysis of an organization’s security posture, compared with the necessary compliance considerations, best practices, and the latest benchmarks, CISOs can identify gaps in their defenses. This allows them to laser focus limited resources in the right places.

It’s crucial to bolster novice security teams with configurable software tuned to the required security standards. To effectively safeguard business-critical data, CISOs need the right strategy coupled with the right tools.


New Generation Companies

IT has changed from driving the bottom line to driving the top line for enterprises. Most of these new applications are developed and built using the DevOps model. This movement was driven by new generation companies such as Google, Facebook, LinkedIn, Pinterest, Twitter, etc. Places where open collaboration is key, and more contributors are encouraged. In addition to changing the business landscape, these companies also built the next set of tools for big data, cloud, AI/machine learning and containers. All of these technologies are mostly open-source. This means the demand is rising for companies to get onboard. There has been a tremendous growth in recruitment activities among organizations that want to boost their open source technology presence. Hiring open source talent was a priority for 83 percent of hiring managers, an increase from 76 percent in 2017. Additionally, containers have been growing rapidly in popularity with 57 percent of hiring managers seeking container expertise (rise from 27 percent in 2017). Overall, we are now entering the scale of massive adoption across the business landscape hence driving the need for open source talent.

DevOps and Security Hiring


What are some steps companies and job candidates can take to benefit from this data?

Time to market is key. In the current business landscape, the speed of innovation has gone up dramatically with this new generation of open source tools. Companies need to recognize that they need in-house talent with the right set of expertise for their chosen toolset. Community-based technology fuels big structured and unstructured data. This also means innovative data-management and storage solutions. Both DevOps and SecOps must respond with an “open-source first” approach when it comes to deploying new software and security infrastructure. Almost any business that plans to survive wants motivated, creative people. They need a talent pool that’s more agile. They need the right mix of enterprise-grade folks who know what it takes to build enterprise-grade – secure, highly available, and robust applications. The newer generation of fast learners that can pick up the new toolset and drive innovation, with security, for business is in high demand.

How can people who are interested in a career in open source enter the field? 

 Jump with both feet into the pool. There are tons of amazing technologies available in the market to choose from. Pick the technology area that’s most aligned with your interest. Study it in and out and become an expert in the field. Participate and contribute to free and open source software (aka FOSS). These projects can offer a variety of learning opportunities. This can even help you start to build a portfolio of your work for prospective employers.  Another strategy is to learn how to make the best use of today's powerful open source technologies. Most of these technologies are new (a handful of years old) hence it depends on an individual’s attitude and aptitude to become the expert in the field and command top dollars from their perspective enterprises for their talent and deliver the results to their employers.






© 2018 Cavirin Systems, Inc. All rights reserved.