Skip to content ↓ | Skip to navigation ↓

As chief information security officer, you’re constantly being pressed to communicate how you’re enabling the business, balancing security risk with business demands, and continuously improving security—not to mention reducing costs, becoming more efficient, and demonstrating return on investments.

If you delve into complex security topics and use jargon foreign to non-technical executive audiences (in other words, talk the typical IT security talk), you’ll lose their interest. We’ve all been in meetings where the presenter missed the mark, and you don’t want to be “that guy” or gal. So how can you accurately depict the state of your organization’s security in a way that everyone can understand? Applying analytics to your attack surface may provide significant help.

Imagine the ability to summarize everything you, your teams and your technologies do to secure your IT infrastructure into a single, meaningful score. If this was possible, it would provide a simple yet powerful way to communicate your organization’s security posture to non-technical executives, board members and other stake holders. If this score was accurate, and you could add business context to it, you would have an effective way to demonstrate exactly how your security investments enable the business.

The financial industry has a lot of his­tory defining and using this type of analysis. Companies and individuals can be sized up with a single credit score. Financial institutions frequently develop singular scores for rating risk, volatility, comparison with peers, and many other key indicators.

For example, Morningstar, an independent investment research firm, scores investments using a star rating system that relies on many underlying metrics. In the sports world, professional baseball has been experi­menting with this idea—a single score that indicates a player’s performance and chance of future success (as seen in the movie Moneyball)—for years.

A single, valid security score may seem impossible. It’s daunting to envision the processes and technologies required to aggregate, normalize and summarize a multitude of factors into a single index, score, or grade—especially given the range of security technolo­gies deployed in most organizations.

At Tripwire, we are working on innova­tive and emerging new technology called attack surface analytics (ASA). Our goal is to equip CISOs and their security teams with newfound visibility into enterprise attack surface risk, enabling them to communicate the organization’s security posture quickly and understand­ably, especially to executive audiences.

For more information, check out the whitepaper Understanding Your Attack Surface: The First Step in Risk-based Security Intelligence, and feel free to contact me at

In the next article in this three article series, we will examine Understanding What Constitutes Your Attack Surface… Stay tuned!


Related Articles:



picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


Title image courtesy of ShutterStock