Owner security

Understanding Conflicting Third-Party Security Assessments

Research reports from Enterprise Strategy Group, a division of TechTarget, reveal that organizations value outside advice, including analyst recommendations and independent third-party test reports. Yet external testing often includes conflicting results, so how do security teams sort through these assessments to find the answers that best fit their individual needs?

Too often, security architects come to analyst firms looking for recommendations in the hope that we can share our “favorite” solutions based on all the research we do. We are often asked to recommend specific vendors and security products to meet the needs of individual organizations.

As industry analysts, we have extensive visibility into available security vendors and product suites, including extensive details on specific capabilities, customer experiences, and partnerships. However, we do not have the same level of understanding of the specific strategies and needs – current and future – of individual organizations and associated security teams. One thing we To do know is that there is no one-size-fits-all solution in the security industry. Here are five reasons:

  1. Each organization has its own unique attack surface to defend. This includes a combination of devices, workloads, SaaS applications, partners, locations, and networks.
  2. Security managers develop specific, individual strategies in support of their organization’s security objectives.
  3. Risk posture and tolerance vary widely from organization to organization, regardless of size, industry and skill set.
  4. Resources and skills vary widely from organization to organization, as do staffing models associated with security operations.
  5. The growth trajectories of different organizations impact scale and reach requirements, driving some to focus more on openness, while others focus more on convergence and reducing complexity.

Despite the best efforts of industry analyst firms and other third-party testing organizations, few can make accurate predictions about which security options suit the specific needs of individual organizations. In my alternate life, I play in a classic rock band, so I’ll use a hokey analogy to take stock. The famous song “Looking for Love in All the Wrong Places” reminds us that despite what others might find a perfect fit or think is a perfect fit, when it comes to finding love, people have their own personalities, quirks , their expectations, their goals and lifestyle. Careful attention to all of these individualized needs ultimately leads to finding true love. Maybe a little oversimplified – OK, not that finding love is easy – but finding the right security solution provider requires careful attention to the specific needs, goals and strategies within each organization.

Miter ATT&CK Frame Earns Industry Trust

But most agree on a common requirement: threat prevention and detection. Despite these variations, the ability to uncover malicious activity and translate that activity into threats is a common part of the equation. This is probably why the Miter ATT&CK framework and Miter ATT&CK tests have earned recognition and respect as the industry’s most trusted detection capability assessment, making the Miter test result the king of castle when it comes to proving effectiveness. ESG research helps confirm that organizations that understand, embrace and adopt the Miter ATT&CK framework perform better than those that do not.

My recommendation is to continue to use third-party assessments wherever possible, but do so in the context of your organization’s needs, goals, and strategies. Select and choose assessments that can provide specific information to support your unique situation. Don’t look for love in the wrong place, but rather take the time to be diligent about finding the best security solution for your specific organization.