What is security posture?

According to the IBM Cost of a Data Breach Report, the average cost of a data breach globally is USD 4.88 million. A strong overall security posture helps defend against these attacks by improving the readiness of an organization to detect, respond to and recover from threats.

To attain a strong security posture, organizations deploy interlocking, targeted security controls to protect multiple aspects of their IT ecosystems, including data, cloud and identity security.

The more effective an organization’s controls are for detecting threats, closing vulnerabilities, stopping attacks and mitigating damage, the stronger its security posture is.

An organization’s security posture represents its overall cybersecurity strength. Within this overarching category, organizations use different tools and techniques to protect different parts of their IT ecosystems. Some of the most prominent types or subfields of security posture include:

• Data security posture
• Cloud security posture
• Identity security posture

Data security posture focuses on protecting sensitive data by preventing unauthorized access or by detecting and blocking suspicious behaviors. These suspicious behaviors can be from authorized or unauthorized users, application programming interfaces (APIs), Internet of Things (IoT) devices, malware, phishing attacks, ransomware or other sources.

As organizations adopt new technologies such as cloud-native development, artificial intelligence (AI) and machine learning (ML), data security risks and vulnerabilities—including third-party risk—can multiply. Continually adding new technologies to digital systems can complicate data security management and might put organizations at risk of data breaches and regulatory compliance violations.

Data security posture management (DSPM) tools identify sensitive data across multiple cloud environments and services, assessing its vulnerability to security threats and assisting with regulatory compliance. DSPM provides insights and automation that help security teams quickly address data security and compliance issues and prevent their recurrence.

Instead of securing the devices, systems and applications that house, move or process data, DSPM often focuses on protecting the data directly. DSPM complements the other solutions in an organization’s security technology stack, including information security (InfoSec) solutions.

As organizations adopt multicloud (services from multiple cloud service providers) and hybrid cloud (combining public cloud and private cloud infrastructure) configurations, their attack surfaces grow. Cloud security posture focuses on shrinking the attack surface by protecting cloud environments.

Without proper security measures, cloud infrastructure can be highly susceptible to security incidents. According to the Cost of a Data Breach Report, 40% of all breaches involve data distributed across multiple environments, such as private clouds, public clouds and on premises.

Cloud applications can potentially include hundreds or thousands of microservices, serverless functions, containers and Kubernetes clusters. With each new connection, it becomes all too easy to program, distribute and perpetuate misconfigurations that leave data and applications vulnerable to cyberthreats.

Cloud security posture management (CSPM) tools can automate and streamline the identification and remediation of misconfigurations and cybersecurity risks across hybrid cloud and multicloud environments and services—including infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS).

Identity security posture focuses on detecting and remediating identity misconfigurations and visibility gaps. This function is critical to an organization’s overall security posture, especially as identity has become the new perimeter and a key pillar of cybersecurity.

Many traditional security measures focused on enforcing access controls at the network perimeter. However, the network perimeter has become less relevant to network security with the adoption of cloud computing, software as a service (SaaS) and hybrid workplaces. In this new landscape, full visibility and control of the activities of both human and machine identities are key to mitigating cyberthreats.

The IBM Threat Intelligence Index Report shows that identity attacks, wherein threat actors hijack valid identities to break into a network, have become the leading attack vectors. The report found a 71% increase in valid identities used in cyberattacks year-over-year. This is despite significant investments in infrastructure security and identity access and vulnerability management solutions.

Today, cybercriminals don’t just hack in. Many log in by exploiting misconfigurations and visibility gaps. An identity misconfiguration occurs when identity infrastructure, systems and access controls are not configured correctly. Visibility gaps are risks that might be overlooked by an organization’s existing identity controls, leaving undetected vulnerabilities that threat actors might exploit.

Identity and access management tools and comprehensive identity orchestration solutions can help organizations protect accounts and thwart the abuse of valid privileges. 

Strong security postures arise from strong security programs. Comprehensive security programs typically include these components.

• Asset inventory
• Governance
• Security controls
• Incident response plans
• Training
• Continual improvement

To protect IT systems and data, an organization needs a full inventory of its assets: what they are, where they are, how they’re vulnerable and how risks can be mitigated. This inventory helps define the attack surface to be defended and the controls this surface requires.

Governance refers to frameworks and processes that help organizations ensure the appropriate use of IT systems and comply with relevant laws and regulations.

Governance processes often focus on controlling access to and the use of company assets, such as personally identifiable information (PII), financial data, proprietary systems or trade secrets. Access levels are often determined based on the relative sensitivity of the data and an individual’s need-to-know. Users typically only have access to the assets that they need, at the right permission levels, to do their jobs.

Organizations in certain locations or industries might also need to adhere to specific regulatory frameworks, such as the General Data Privacy Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS) or the California Consumer Privacy Act (CCPA). Violations of these regulatory requirements might result in costly government fines and public backlash.

Governance, risk and compliance (GRC) automation can help strengthen and speed up ongoing governance tasks. Organizations can also adopt specific governance and risk management frameworks, such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).

A comprehensive security architecture incorporates various complementary security tools to protect against all manner of attacks, including phishing and social engineering, ransomware, distributed denial of service (DDos) attacks, insider threats and others. Common controls include:

• Endpoint security solutions
• Firewalls
• Intrusion detection and prevention systems (IDPS)
• Security information and event management (SIEM)
• Security orchestration, automation and response (SOAR)
• Data loss prevention (DLP) 
• Identity and access management (IAM) controls
• Threat intelligence platforms

Many enterprise-grade security solutions provide a high degree of automation and continuously scan sensitive data and assets wherever they might exist. Automated, continuous monitoring helps organizations track resources and discover and respond to threats in real-time.

An incident response plan (IRP) defines the steps that an organization takes to counter attacks in progress. These plans outline the roles and responsibilities of security team members, the tools they should use and the tasks they must complete to eradicate threats.

When running an IRP, security teams often rely on security solutions that run risk assessments, provide real-time reporting and have dashboards that help them prioritize potential risks according to severity. These solutions might also provide step-by-step remediation instructions or prebuilt incident response playbooks that streamline threat resolution.

Some solutions can automatically modify system settings or apply new controls and patches to add cybersecurity strength and better protect against ongoing attacks.

Employees, stakeholders and other users are often the weak link in security. Regular security awareness training can help strengthen an organization’s ability to fend off threats by familiarizing all users with governance requirements and security best practices.

The threat landscape is always changing. To stay on top of the latest risks and maintain cyber resilience, organizations regularly review safety metrics, assess security performance, conduct penetration testing and run complete security posture assessments.

These measures help organizations identify risks and develop ways to thwart new attacks. This enables a process of continual improvement, where organizations update their security programs to better respond to evolving threats.

The ever-growing variety of attacks and ever-expanding enterprise attack surfaces can make it difficult to craft adequate security strategies and harm organizational security posture.

In particular, organizations might need to consider how the following concerns might affect security posture.

• Artificial intelligence (AI)
• Identity and access management challenges
• Shadow IT

AI can be used to start cyberattacks and the data used to train AI can present a tempting target of security breaches.

For instance, large language models (LLMs) can help attackers create more personalized and sophisticated phishing attacks. Being a relatively new technology, AI models also provide threat actors with new opportunities for cyberattacks, such as supply chain attacks and adversarial attacks.

The answer might be more AI, rather than less. According to the Cost of a Data Breach Report, organizations that deploy security AI and automation across their security operations centers can boost system security and save costs.

When these measures were deployed extensively across prevention workflows—attack surface management (ASM), red-teaming and posture management—organizations averaged USD 2.2 million less in breach costs compared to those with no AI use in prevention workflows. This finding was the largest cost savings revealed in the report.

Identity is a key pillar of cybersecurity today. However, the complexities of managing the identities and access permissions of various users in distributed workforces across hybrid and multicloud environments can be a source of significant security risks.

• Misconfigurations: If not configured correctly, IAM controls can be bypassed by resourceful admins or threat actors, significantly reducing the protection they provide.
  
  
• Forgotten service accounts: A service account is designed to help perform actions such as running applications, automating services and making authorized API calls. As such, these accounts typically have elevated system privileges. If inactive service accounts are not properly retired, attackers can use them to gain unauthorized access.
  
  
• Inappropriate entitlements: Overentitlement, also known as “overpermissioning,” grants users greater data access privileges or permissions than they need to do their jobs. These elevated privileges can easily be abused. Conversely, in an effort to protect sensitive data, organizations might grant users overly restrictive permissions, which can prevent them from doing their jobs effectively.
  
  
• Password hygiene: Organizations allowing weak or common passwords make it easy for hackers to break into accounts through simple guessing or brute force attacks.

Shadow IT refers to IT assets—such as apps, devices and data—used on an enterprise network without the IT department’s approval, knowledge or oversight. Because these IT assets are unmanaged, they are more likely to contain unmitigated vulnerabilities that hackers can exploit.

Shadow IT comes in many forms, including:

• Shadow access: Shadow access is when a user retains unmanaged access using a local account to an application or service for convenience or to speed troubleshooting.

• Shadow assets: Shadow assets are applications, devices or services that are unknown to IT teams and systems. This makes enforcing security measures such as access controls, user authentication and compliance checks more challenging.
  
  
• Shadow data: Shadow data includes datasets and data stores that are not managed by IT and security teams. As organizations expand data access to more users who have less understanding of proper data security and governance, the risk of shadow data increases. The rise of cloud systems also makes it easier for users to transfer sensitive data to unauthorized, personal data stores.