惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Hugging Face - Blog
Hugging Face - Blog
Microsoft Azure Blog
Microsoft Azure Blog
月光博客
月光博客
S
Securelist
J
Java Code Geeks
Recorded Future
Recorded Future
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
M
MIT News - Artificial intelligence
S
Secure Thoughts
Y
Y Combinator Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
D
Docker
Martin Fowler
Martin Fowler
The Last Watchdog
The Last Watchdog
WordPress大学
WordPress大学
The GitHub Blog
The GitHub Blog
Vercel News
Vercel News
O
OpenAI News
www.infosecurity-magazine.com
www.infosecurity-magazine.com
博客园_首页
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
PCI Perspectives
PCI Perspectives
N
News and Events Feed by Topic
H
Heimdal Security Blog
SecWiki News
SecWiki News
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
博客园 - 【当耐特】
T
Troy Hunt's Blog
L
LINUX DO - 最新话题
Hacker News: Ask HN
Hacker News: Ask HN
Hacker News - Newest:
Hacker News - Newest: "LLM"
N
Netflix TechBlog - Medium
A
Arctic Wolf
The Hacker News
The Hacker News
I
Intezer
S
Schneier on Security
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Apple Machine Learning Research
Apple Machine Learning Research
L
Lohrmann on Cybersecurity
宝玉的分享
宝玉的分享
P
Privacy & Cybersecurity Law Blog
Stack Overflow Blog
Stack Overflow Blog
T
Tor Project blog
小众软件
小众软件
Simon Willison's Weblog
Simon Willison's Weblog
The Cloudflare Blog
Jina AI
Jina AI

Search Security Resources and Information from TechTarget

How to operationalize threat modeling with AI | TechTarget CISO First fully agentic ransomware attack sparks readiness concerns | TechTarget Evaluating secure enterprise browsers vs. security plugins | TechTarget The AI vulnerability storm is here: Is your security program ready? | TechTarget Perimeter to posture: A roadmap to zero trust maturity | TechTarget TLS certificate lifetime changes: What CISOs must do now | TechTarget The agentic AI 8 key aspects of a mobile device security audit program | TechTarget Why mobile security audits are important in the enterprise | TechTarget Beyond the perimeter: The shift to data-centric protection | TechTarget How agentic AI threat intelligence aids NGO cyber defense: Case study | TechTarget How to conduct a mobile app security audit | TechTarget NO FAKES Act advances: What CISOs need to know | TechTarget What CISOs should know about AI runtime security | TechTarget As Q-Day looms, 90% of systems are unprepared for PQC | TechTarget A CISO Most security pros say their culture is Zscaler lays out its vision to secure the AI era at Zenith Live | TechTarget The OpenClaw security risks every CISO needs to know | TechTarget Cloud security metrics and KPIs: A CISO Florida public sector training on SimSpace cyber range: Case study | TechTarget Reporters' Notebook — Focus on Cyber Insurance: How Quantifying Risk Is Reshaping Security It's time to update incident response for the AI era How to build AI security guardrails without blocking innovation The prosecution gap: Why cybercrimes go unpunished AI in cyberdefense: Learning from threat actors' playbooks Top identity and access management risks CISO role changes as cyber-risk appetites in the C-suite grow CISO's guide to data minimization Researchers build autonomous AI worm that can reason and adapt How to secure data at rest, in use and in motion How to find cyber-risk data sources for a FAIR analysis Lost in translation: Cybersecurity board reporting for CISOs How to prepare security controls for future AI regulations EO 14390 raises stakes for enterprise cybersecurity First month of Mythos Preview testing exposes 10K flaws OT attacks shift from recon to physical control, raising stakes For CISOs, dawn of OpenAI Daybreak brings good and bad news Gartner Security & Risk Management Summit 2026: Adapting for AI | TechTarget Inside business email compromise attacks: Real-world examples Verizon 2026 DBIR: 6 key takeaways for CISOs Identity security for AI agents: The proliferation challenge How to build a business impact analysis checklist Taking care of business: The CISO's role in a cyber crisis What CISOs need to know about AI audit logs SOC vs. MDR: What CISOs need to consider Instructure cyberattack reignites ransom payment debate Transform SIEM rules with behavior-based threat detection CISO's guide: How to test an incident response plan How to implement zero trust for AI Data after the breach: Economics of the dark web The breakup: Why CISOs are decoupling data from their SIEMs | TechTarget News brief: Security worries and warnings as AI use expands 5 leading enterprise password managers to consider Claude Mythos changes the AI security threat matrix Buyer 6 things to check in your cyber insurance policy fine print How cyber insurance helped with breach recovery -- or not News brief: Critical infrastructure, OT cybersecurity attacks Tape's strategic role in modern data protection Top zero-trust use cases in the enterprise What every CISO should consider before a SIEM migration CISO's guide to centralized vs. federated security models Shadow code: The hidden threat for enterprise IT How to fix cybersecurity's agentic AI identity crisis 5 top SIEM use cases in the enterprise Top 8 e-signature software providers for 2026 How do digital signatures work? News brief: AI woes continue for security leaders Deepfake era demands proof-based security, not just awareness Is SOAR dead or alive? Sort of The push for digital sovereignty: What CISOs need to know Beyond awareness: Human risk management metrics for CISOs Cybersecurity in the age of AI means bigger, faster threats At RSAC 2026, AI optimism and anxiety -- and an MIA U.S. government Inside the SOC that secured RSAC 2026 Conference How to roll out an enterprise passkey deployment How to improve the SOC analyst experience -- and why it matters How contact centers detect and prevent fraud News brief: Iranian cyberattacks target U.S. water, energy CISO checklist: Cybersecurity platform or marketing ploy? RSAC 2026 Conference: Key news and industry analysis | TechTarget Next-generation firewall buyer's guide for CISOs Contact center monitoring best practices for CX leaders RSAC 2026: Cyber insurance and the rise of ransomware Agentic AI's role in amplifying and creating insider risks RSAC 2026 recap: AI security and network security trends Identity security at RSAC 2026: The new enterprise dynamics Meaningful metrics demonstrate the value of cyber-resiliency What to know about red team testing and the law News brief: Iran cyberattacks escalate, U.S. targets named 5 top SOC-as-a-service providers and how to evaluate them Cloud security architecture: Enterprise cloud blueprint for CISOs Contact center compliance checklist for modern workforces How AI caught a malicious North Korean insider at Exabeam Watch your words: Tim Brown's advice for CISOs News brief: U.S. absence at RSAC sparks leadership concerns Network security management challenges and best practices 10 enterprise secure remote access best practices
How to construct an effective security controls evaluation
Ed Moyle · 2026-05-08 · via Search Security Resources and Information from TechTarget

Some CISOs believe their security controls are sufficient, but reach that conclusion without any method for measuring their effectiveness. There's a much better way.

I once received an ad from a company that promised to lower home energy costs by conducting a free energy audit. The audit, it said, could be done over the phone -- no home visit -- and would require absolutely "zero questions asked" -- i.e., about our current energy use, heating and cooling systems, insulation or anything else.

It struck me as objectively ridiculous. How can you reach a fact-based, evidence-driven conclusion without at least measuring something?

I bring this up because I see CISOs promising something similar with their security strategies. Namely, they say they can manage their security controls in the absence of important contextual knowledge, without information about control efficacy -- let alone efficiency -- and, in some cases, without any operational performance data at all. Yet, just like the information-free "energy audit," this approach undermines decision-making. Missing information means we pay more for an outcome that diminishes our control, makes no impact on reducing risk and yields poorer security overall.

By contrast, better measurement reduces risk. Contextualized performance information helps us understand how well controls perform relative to each other, which in turn makes investments more efficient and improves how we manage and operate those controls.

Let's take a look at how to better measure security controls, how to use the data collected to best effect and why a security controls evaluation matters in the first place.

Multiple angles of security control evaluation

To start, it's important to realize there are multiple dimensions, or vantage points, from which to measure controls. And there are countless ways to measure control performance. The three I've found most helpful to measure are:

  1. Effectiveness. Does the control work?
  2. Maturity. How reliable is the process supporting the control?
  3. Efficiency. How does the control perform economically?

The first area is perhaps the easiest to intuitively understand. Effectiveness assesses how well the control performs at its intended task. Is it implemented? Does it work? Is it appropriately scoped? Does it cover the portions of the environment we need it to?

If you were to conduct a compliance audit against a set of controls -- for example, something like the controls in ISO/IEC 27001:2022 Annex A, NIST Special Publication 800-53 or specific controls required by a regulatory framework such as PCI DSS -- this is the lens that would magnify most of the evaluation. In addition to measuring whether the control exists or not, though -- as you would for a regulatory compliance audit, for example -- you also want to account for how well it performs. The specifics of this will vary based on the individual control. Some systems might involve comparing rates of false/true positives versus false/true negatives; others might measure remediated versus unremediated issues, for example, quarantined malware versus unquarantined.

The second dimension is the maturity of the implementation or processes that support the control's operation. Different processes -- even those designed to achieve the same or similar outcomes -- can have different levels of maturity. Consider two separate approaches to a single task -- for example, change management. One company might use a disorganized process for oversight, while another uses a well-documented, quantitatively measured one. Even if these processes perform equivalently, the more mature process has advantages that the less mature one does not -- for example, resilience to adverse events such as personnel attrition or process failure. This leads to, in aggregate, more predictable security outcomes.

How might you measure maturity? There are whole frameworks devoted specifically to this. For example, the Capability Maturity Model defines five levels of maturity:

  1. Initial. Unpredictable, ad-hoc, reactive process.
  2. Managed. Planned with controlled requirements.
  3. Defined. Process documented and standardized.
  4. Quantitatively managed. Quantitative measurements -- i.e., metrics -- manage process.
  5. Optimizing. Continuous improvement loop in place.

The last dimension is efficiency -- more specifically, economic efficiency. As with maturity, how a company implements a control will yield different economic characteristics.

Once again, it's helpful to compare two implementations side by side. Take data discovery as an example. One company might use a software tool to find and flag files containing sensitive data, while another might pay hundreds of consultants to manually review individual files. Granted, no sane security program would use this second method. But this extreme example illustrates unambiguously that economic performance is not the same even if both approaches are equally effective and mature.

Indeed, the economic disparities are stark, ranging from initial startup costs and monthly and annual fees to Capex/Opex composition and total operating costs. To understand the economics of control performance, then, you need to understand and document each one. How? A useful starting point is the budget -- i.e., the actual hard dollars spent on any services or products involved in delivering a control both year 1 and year n costs. Extend this to factor in soft costs -- e.g., head count required to support, staff time, etc. -- as well as any other required financial outlays, such as data center, compute, storage, bandwidth, etc. Ultimately, the goal is to calculate the control's total cost of ownership (TCO) and use this as the unit cost in final risk/cost assessments.

Putting it all together

The next step in a security controls evaluation is to bring the information together. An approach I've used is to correlate these dimensions with quantitative risk scoring. This enables you to view controls through the lens of the amount of risk reduced -- quantitatively expressed -- per dollar invested, or, as security metrics guru Pete Lindstrom terms it, "risk reduced per unit cost."

This is valuable for a couple of reasons. First, it helps find underperforming controls and, once found, helps justify rescoping, realignment or even removal. If the idea of removing a control sounds scary or heretical, I get it. Security is, after all, a probabilistic discipline. Scenarios can arise where a legacy control -- even one that hasn't provided much value in years -- is precisely what would have prevented an attack.

In this context, opportunity cost is what you could have done instead with resources you invest in a given control. Unless you have an infinite budget -- and who does -- every investment comes at the cost of other measures you could have done but didn't.

But it's not realistic to keep every control around forever. One argument is opportunity cost: the second reason a risk/cost approach is valuable. In this context, opportunity cost is what you could have done instead with resources you invest in a given control. Unless you have an infinite budget -- and who does -- every investment comes at the cost of other measures you could have done but didn't.

Say an organization has an old legacy control offering little value in the current environment -- for example, a modem wardialer. For most organizations and barring exceptional circumstances such as industrial control networks, remote substation facilities, etc., a control like this provides negligible value in modern ecosystems. But consider how else the organization could invest those same resources. Container scanning? Secrets management? Cloud security posture management? A large language model gateway? These represent choices you could have made but didn't because the resources were already engaged.

Each of the three dimensions I covered earlier helps build your analysis. Effectiveness helps inform risk mitigation and, coupled with a quantitative risk modeling approach, can help you understand likelihood in a risk calculation. Likewise, maturity helps you understand impacts: lower maturity controls are less resilient, thereby increasing impact. Economic analysis helps you understand potential loss, opportunity cost and control selection.

Just as no reasonable person would accept an energy audit conducted without any actual data collection, security leaders shouldn't attempt to conduct a security controls evaluation without proper measurement. Yet, many enterprise security strategies do exactly this. They make decisions about control investments without understanding effectiveness, maturity or efficiency. That results in unnecessary risk and wasted resources.

The solution is straightforward: Evaluate controls by measuring their effectiveness -- does the control work as intended and cover what it needs to; their maturity -- how resilient and predictable are the processes supporting the control; and their efficiency -- what's the TCO.

When you bring these dimensions together, you can calculate, articulate and defend what truly matters: risk reduced per dollar invested. This gives you the ammunition to identify underperforming controls worth removing, leads you to better risk-based decision making  and reveals opportunity costs -- the better security investments you could make -- with those same resources. In short, measurement is the key to building a performance program that reduces risk efficiently.

Ed Moyle is a technical writer with more than 25 years of experience in information security. He is a partner at SecurityCurve, a consulting, research and education company.

Dig Deeper on Security operations and management