Get My Score


vote tampering


Looking ahead to this fall’s elections, I won’t dwell on the ‘who’, be it Russia, China, North Korea, or someone closer to home, but some entity, somewhere, will  ‘meddle’, and the best we can do is to minimize the impact. 

 We’ve read that the Russians have moved beyond simple (ok… not so simple) vote tampering, and social networks are old hat.  So what can we control?

The very integrity of the data, an assurance that what is stored within the enterprise or in the cloud is unaltered;  has not been tampered with.  Here is where cloud security comes into play.

Over the past few years, we’ve witnessed way too many instances of data stored in the cloud compromised, including marketing data, political party data, health records, etc.     With the rush to the cloud, pressures from our CFOs, and a bit of groupthink, we’ve become sloppy.  The same precautions we’ve taken for our on-premise data centers – access controls, both internal and external, encryption, and even record keeping – some of us have forgotten, with negative impacts that shouldn’t be a surprise.  But posting the data across the internet is only the first salvo.  Hackers now have the tools to alter the data at-rest, and without proper checks in place, the source of truth becomes elusive. But the solution is not difficult, and doesn’t require a string of esoteric certifications.  Just common sense.

The public cloud providers offer a number of services designed to monitor your accounts – your controls, services, and applications – while at the same time providing notifications if something is amiss.  In parallel, software vendors like Cavirin offer powerful security tools that pick up where the cloud provider leaves off.  Cavirin provides real-time visibility and remediation of hybrid infrastructures so that governments can identify gaps in their defenses and take immediate action to more effectively address pressing threats they might/will face.

As part of making your move to the cloud, understand your exposure and the tools available, both CSP and 3rd party, to mitigate.  And put in place and execute a plan before moving any critical workloads or data to AWS, Azure, Google Cloud, etc.  Looking forward to November, this should serve as a call-to-action.

In the same way that GDPR forced the privacy issue, and even in the US had a positive impact such as the CCPR in my home state of California, we can take it upon ourselves to make sure that our clouds are in order… are secure and free from tampering.  We’re at 90 days, so put in place a plan!


Cybersecurity Scoring Blog Series

This is the second in five-part blog series designed to help your organization understand and leverage your own cybersecurity scoring posture--the first blog Introduced you to CyberPosture Scoring. Over the course of the series, we will present the concept of cybersecurity posture along with a framework and an approach to calculate your overall posture score.  

Comparing Cyber Security Posture Scoring to Cyber Security Risk Scoring

 When building a cybersecurity program to defend your digital assets, the plan should be developed by assessing three critical aspects:

  • Step One: What assets are you trying to protect?

Identifying the systems, applications, data, business processes and end-users that need to be protected

  • Step Two: What are the risks?

Determining through cyber risk scoring which assets are left open to cyber-attacks, and the impact of each system going offline and/or leaking data

  • Step Three: How well are you protected?

Documenting the controls in place to protect the assets and the strength of those controls by using CyberPosture scoring

Many security-mature businesses adequately address Step One, identifying the assets to be protected. And a variety of methods and tools have been around a long time for Step Two, determining the risks. But in our discussions with clients, we find that many have not taken that important Step Three, finding out just how well they are protecting the things that matter to the business by using posture scoring. 

An Overview of Risk Scoring

An important part of going through all three steps is gaining an understanding of how CyberPosture scoring compares to cyber risk scoring. When conducting cyber risk scoring, you analyze what could go wrong. You first take an inventory of your systems, applications, data, business process, and end users (Step One) and the role they play in allowing you to run the business. Then you assess their weaknesses and vulnerabilities:

  • What systems can be hacked and taken offline?
  • What data can be stolen, leaked or changed?
  • Can private information or intellectual property be lost or stolen?

Risk scoring combines the extent of the weakness and the value of the asset. The assessment requires an understanding of the CIA triad (confidentiality, integrity, and availability), which measures the business impact of an asset that’s taken down or experiences a data breach. Those that play a critical role in running the business and lack sufficient cybersecurity mechanisms will score as a high risk. Those that aren’t mission-critical, and those with few weaknesses and/or with limited exposure, will score as a low risk.

Using a scoring system for each asset—which may be as simple as Red-Yellow-Green, or as granular as a scale of 1-100 - allows IT to prioritize which risks to address first. By having a risk scoring method and system, IT can also more easily communicate the overall level of risk for assets to the business leaders. This is particularly important when additional resources need to be purchased to address those risks!

Risk Scoring Leads to Posture Scoring

The risk scoring process then drives the compensating security controls that will be deployed to address the vulnerabilities and weaknesses, to reduce their exposure, and to ultimately mitigate the risks. These may be a combination of hardware and software systems as well as corporate policies that govern end-user activities when utilizing company devices. It could even include end-user awareness training to minimize the impact humans can have on the systems, data, and surrounding processes.

After the compensating policies and controls are in place, the cybersecurity posture scoring then comes into play to determine how strong those controls are in mitigating the risks. It’s essentially a reassessment of the IT environment to see how strong it is in defending against potential threats. As with risk scoring, posture scoring can be based on a three-color scheme or a wide-ranging numbered scale.

The leading cybersecurity posture platforms generate results that are comprehensible to personnel with minimal cybersecurity training. The results represent the strengths of the compensating controls in order to adequately drive prioritized action plans for upgrading or replacing inadequate controls.

The scoring results are based on industry-standard cybersecurity frameworks. In addition, they incorporate all the risk signals that an organization is aware of and then compare those risks to the controls in place to mitigate the risks.

Cybersecurity posture scoring can also be integrated with other security management applications. This makes it possible to incorporate risk signals added in the future to ensure your security controls keep pace with new threats.

An On-Going Scoring Process

As your cybersecurity posture score increases, your cybersecurity risk score will decrease. Ideally, you want to find a balance of controls that justifies the investment in hardware and software and returns the required digital-asset protection value. The two-pronged risk/posture scoring process also needs to be conducted on a recurring basis as new business processes are introduced creating more exposure and new cyber threats emerge, creating new risks that current controls cannot mitigate.

In the blogs that that follow, we will present the basic elements of a posture scoring framework, how cyber security posture scoring works, and how to get started with scoring your cybersecurity posture - including what you need to do to prepare before you can start scoring. 

In the meantime, should you have any questions or need help generating a cyber security posture score for your organization, visit or contact Cavirin to speak with one of our security posture scoring professionals.



Cybersecurity Scoring Blog Series

To help your organization understand and leverage a cybersecurity scoring posture as part of our overall information security management program, you will find this first in the five-part blog series the jump-start you need. Over the course of the series, we will present the concept of a cybersecurity posture along with a framework and an approach to calculate your overall posture score.

  1. Introduction to CyberPosture Scoring
  2. Cybersecurity Posture Scoring vs Risk Scoring

Cyber Security Posture Scoring: How Strong Are Your Controls?

For many years, security frameworks have presented a common methodology for assessing cybersecurity risks. Recently, frameworks have begun to emerge as a way to also assess an organization’s cybersecurity posture—a measurement of the strength of the deployed controls that are meant to protect the digital infrastructure. 

One way to understand the difference between a risk assessment and a posture assessment is to consider the case of a major city located on the coastline. A risk assessment can identify the extent to which the city harbor is susceptible to storm surges and flooding. In reaction to that assessment, the city might choose to install offshore barriers. 

A posture assessment would then measure just how effective those barriers are in defending against potential storm surges and floods. The stronger the barriers, the lower the risk becomes in future assessments.

The Key Attributes of a Cyber Posture Scoring Platform

While generating an overall cyber security posture score is important, the platform you utilize should also include attributes that allow you to put that score to good use. This includes making the results comprehensible to personnel with minimal cybersecurity training. The results must also be meaningful and represent the strengths of the risk controls in order to adequately drive prioritized action plans starting at the board and executive level, working its way down to the security operations center and the security analysts. 

The scoring results provided by the leading cybersecurity scoring platforms are based on industry-standard cybersecurity frameworks. They are also comprehensive—incorporating all the risk signals that the organization is aware of, and then comparing those risks to the controls in place to mitigate the risks. 

Leading solutions also provide extensibility to integrate cybersecurity posture scoring with other security management applications. In addition, you can incorporate risk signals added in the future to ensure your security controls keep pace with new threats.

The Benefits of Cyber Posture Scoring

While risk assessments are meant to help you lower your risk score, control assessments are meant to help you raise your cyber posture score. The higher the number, the better your security posture. By applying cyber posture scoring, organizations reap several benefits:

  • Measures the efficacy of the information security and compliance programs for the enterprise.
  • Creates a better understanding of the security and compliance posture, and how to address important concerns.
  • Compares internal security and compliance controls against the most common threats.
  • Produces a benchmark to compare security performance against industry peers and competitors.
  • Facilitates communication of cybersecurity reports with executives by explaining security program effectiveness within the business context.
  • Provides additional guidance to help reduce and mitigate cybersecurity risk.
  • Generates machine learning insights to enable proactive measures against risk-inducing behaviors.

In the blogs that follow, we will compare and contrast posture assessments vs. risk assessments, the basic elements of a posture scoring framework, how cyber security posture scoring works, and how to get started with scoring your cybersecurity posture—including what you need to do before you can start scoring. 

In the meantime, should you have any questions or need help generating a cyber security posture score for your organization, visit or contact Cavirin to speak with one of our security posture scoring professionals.





ciso challenges 2018


Instituting Solid Security Standards in Tough Times

The modern Chief Information Security Officer (CISO) faces myriad challenges as he or she strives to protect company data, meet regulatory requirements, and spread security awareness. Their mission to institute solid security standards is often hampered by a lack of readily available talent and a limited budget.

It’s a difficult, often thankless task, but resourceful CISOs with the right strategy, support, and tools can prevail. 


A Varied Role

The lack of a common, widely agreed upon definition of a CISO’s job muddies the waters considerably. The first wave of CISOs were often tasked with defining the role as they worked and there are still major differences in the responsibilities bestowed by different organizations.

First and foremost is the need to manage security and protect data, but many CISOs are also now expected to help build security into the infrastructure and train the workforce to be vigilant.

With the mass adoption of cloud services and the proliferation of complex hybrid environments, exacerbated by the rise of the IoT, the virtual office, and shadow IT, CISOs really have their work cut out for them.  A difficult job that requires synergy with various departments is fast-becoming more difficult.

CISOs must recognize potential threats and evangelize for the security cause to secure the budgets and cooperation they need to be successful.


Spreading Awareness

As cloud adoption continues to gather pace and organizations look for safe ways to migrate vast amounts of data, some security risk is inevitable. Perhaps the single greatest action CISOs can take to combat and mitigate that threat is to train the workforce and advance security awareness. After all, Gartner suggests that through 2022, at least 95 percent of cloud security failures will be the customer’s fault.

CISOs must develop a set of policies that enumerate precisely what action employees need to take when an incident occurs, whether it’s a suspected breach, a malware infection, or something else. Embrace the reality that people make mistakes and focus on how to deal with errors to swiftly correct them and minimize their potential impact.

Every employee should regularly complete a constantly evolving security training program that reflects the latest threats. It’s not enough to tick the completion box and move on; employees also need to be tested to ensure they are following policies. When people fail, further training is required.


Providing Proper Support

When CISOs were asked about their concerns for this year by the Ponemon Institute most of them named “lack of competent in-house staff” as their primary worry. There’s a dearth of experienced security professionals and this often leads to people being promoted from unrelated departments and training up in the job. Mistakes are the inevitable consequence.

To help support these security fledglings, CISOs can deploy supportive tools and software that offer an accessible overview of their organization’s cyber posture. (Know what is your CyberPosture Score.)
Automated alerts that highlight potential security issues, alongside clear advice on how to meet security standards and adhere to regulatory requirements can elevate the performance of inexperienced employees.
By conducting a full analysis of an organization’s security posture, compared with the necessary compliance considerations, best practices, and the latest benchmarks, CISOs can identify gaps in their defenses. This allows them to laser focus limited resources in the right places.

It’s crucial to bolster novice security teams with configurable software tuned to the required security standards. To effectively safeguard business-critical data, CISOs need the right strategy coupled with the right tools.


New Generation Companies

IT has changed from driving the bottom line to driving the top line for enterprises. Most of these new applications are developed and built using the DevOps model. This movement was driven by new generation companies such as Google, Facebook, LinkedIn, Pinterest, Twitter, etc. Places where open collaboration is key, and more contributors are encouraged. In addition to changing the business landscape, these companies also built the next set of tools for big data, cloud, AI/machine learning and containers. All of these technologies are mostly open-source. This means the demand is rising for companies to get onboard. There has been a tremendous growth in recruitment activities among organizations that want to boost their open source technology presence. Hiring open source talent was a priority for 83 percent of hiring managers, an increase from 76 percent in 2017. Additionally, containers have been growing rapidly in popularity with 57 percent of hiring managers seeking container expertise (rise from 27 percent in 2017). Overall, we are now entering the scale of massive adoption across the business landscape hence driving the need for open source talent.

DevOps and Security Hiring


What are some steps companies and job candidates can take to benefit from this data?

Time to market is key. In the current business landscape, the speed of innovation has gone up dramatically with this new generation of open source tools. Companies need to recognize that they need in-house talent with the right set of expertise for their chosen toolset. Community-based technology fuels big structured and unstructured data. This also means innovative data-management and storage solutions. Both DevOps and SecOps must respond with an “open-source first” approach when it comes to deploying new software and security infrastructure. Almost any business that plans to survive wants motivated, creative people. They need a talent pool that’s more agile. They need the right mix of enterprise-grade folks who know what it takes to build enterprise-grade – secure, highly available, and robust applications. The newer generation of fast learners that can pick up the new toolset and drive innovation, with security, for business is in high demand.

How can people who are interested in a career in open source enter the field? 

 Jump with both feet into the pool. There are tons of amazing technologies available in the market to choose from. Pick the technology area that’s most aligned with your interest. Study it in and out and become an expert in the field. Participate and contribute to free and open source software (aka FOSS). These projects can offer a variety of learning opportunities. This can even help you start to build a portfolio of your work for prospective employers.  Another strategy is to learn how to make the best use of today's powerful open source technologies. Most of these technologies are new (a handful of years old) hence it depends on an individual’s attitude and aptitude to become the expert in the field and command top dollars from their perspective enterprises for their talent and deliver the results to their employers.







A quick listing of some of the articles where Cavirin's thought leaders were quoted over the last month.  The who's-who of security publications, covering stories as diverse as GDPR, cyber insurance, and USB drive vulnerabilities.  Note that the citations below do not cover our channel launch.   Please go to our website for more.


Cyber Insurance, Security and the Enterprise Challenge


Reset Your Routers to Avoid Malware Attack, FBI Warns

Canadian Banks Warn Data Breach May Have Affected 90,000 Customers

Two Canadian Banks Report Potential Data Breach


Could GDPR Be the Best Thing That’s Happened to Marketing?


Can behavior-based cyber insurance improve cybersecurity?


More Data Leaked from AWS Bucket Misconfigurations


EU Privacy Activist Targets US with GDPR Rules


GDPR is on the books, Google, Facebook face lawsuits, others scramble to comply


Amazon Comes Under Fire for Facial Recognition Platform


Five Business Drivers For Organizations Moving To The Cloud


TeenSafe Data Leak Shows Cloud Security Weaknesses
Moving to the Cloud: Too Many Companies, Too Fast?


TeenSafe App Exposes Data on More Than 10K Accounts


TeenSafe Tracking App Exposes Thousands of Private Records


DHS Cybersecurity Strategy Keys in on Risk, Vulnerability Management


DHS Publishes New Cybersecurity Strategy
Chili's Discloses Data Breach Exposing Payment Card Information


IBM's USB Ban Earns Some Praise, Some Skepticism


Bolton's Push to Cut Security Post Not Sound


Tech Companies Vow Not to Participate in Government-Sponsored Cyberattacks


Bolton, team mull eliminating White House cybersecurity coordinator position


IT Management: Do Not Panic over GDPR Challenges


Adopt The Right Cyber Posture For Your Hybrid Cloud Environment


Twitter Advises Users to Change Passwords Following Encryption Failure
Tens of Thousands of Malicious Apps Using Facebook APIs



© 2018 Cavirin Systems, Inc. All rights reserved.