Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Outcome vs Output Security Approaches

Outcome vs Output Security Approaches

Kennedy Torkura

October 15, 2023

More Decks by Kennedy Torkura

Other Decks in Technology


  1. An output describes the result of an activity. For example,

    if a music streaming service, such as Spotify, launches a new feature, this is referred to as an output. The output does not yet indicate what added value the user or customer will experience. Definitions An outcome is the actual added value of the output for the target group. To stay with the example of Spotify: Thanks to the newly-released feature, listeners are now able to save their favorite songs more easily. A real added value has been created and the outcome resulted from the output. @run2obtain Source: https://www.workpath.com/magazine/output-vs-outcome
  2. Outcome-based security is an approach to cybersecurity that emphasizes achieving

    specific, measurable results or objectives, rather than simply following a set of predefined processes or using specific tools. In outcome-based security, the primary focus is on the actual impact of security measures on protecting an organization's assets and data. Outcome-Based Security Outcome-based security aims to provide a more holistic and business-aligned approach to cybersecurity, ensuring that security measures are effective in protecting the organization's assets and supporting its overall objectives. @run2obtain
  3. Outcome-Based Security Key Characteristics • Focus on End Results: The

    primary concern is the desired security outcomes, such as reducing the number of successful breaches, minimizing data loss, or maintaining system availability. • Measurable Metrics: It involves using quantifiable metrics to assess the effectiveness of security measures. These metrics are used to track progress towards achieving security goals. • Flexibility in Approach :Outcome-based security allows for flexibility in choosing security measures and strategies. It encourages organizations to adopt the most effective solutions for their specific context. • Risk Management-Oriented: It often takes a risk-oriented approach, focusing resources on protecting against the most significant threats and vulnerabilities that could have a major impact on the organization. @run2obtain
  4. Outcome-Based Security Key Characteristics • Continuous Improvement: The emphasis is

    on ongoing monitoring, analysis, and improvement of security measures to ensure they remain effective over time. This may involve adapting strategies as the threat landscape evolves. • Alignment with Business Objectives: Aligns with broader organizational goals and objectives, demonstrating how security measures contribute to the overall success of the business. • Adaptability to Emerging Threats: Acknowledges that the cybersecurity landscape is constantly changing. As new threats emerge, the focus shifts to address these evolving risks. @run2obtain
  5. Examples of output-based security measures include: installing and configuring a

    specific number of firewalls across the organization's network, conducting quarterly security training sessions for all employees to raise awareness about cybersecurity best practices. Output-Based Security Output-based security is an approach to cybersecurity that places emphasis on the specific activities, processes, and tools used to secure an organization's information technology environment. In this approach, the focus is on ensuring that established security protocols and measures are in place and functioning as intended. @run2obtain
  6. Output-Based Security Key Characteristics • Focus on Security Practices: The

    primary concern is on the tasks, activities, and technologies that are employed to secure the organization's systems, networks, and data. • Measurable Outputs: It involves quantifiable outputs or deliverables, such as the installation of firewalls, regular security training sessions, or the implementation of access controls. • Compliance-Driven: Output-based security is often aligned with industry best practices and regulatory requirements. It aims to ensure that the organization is adhering to established security standards. • Less Flexibility in Methods: It may be less flexible in terms of the methods used, as it often adheres to specific industry standards and recommended practices. @run2obtain
  7. Output-Based Security Key Characteristics • Adherence to Compliance Requirements: It

    ensures that the organization meets the compliance requirements stipulated by relevant industry regulations or standards (e.g., PCI DSS, HIPAA, ISO 27001). • Verification of Implemented Controls: It involves verifying that the security controls and measures that have been prescribed are in place and functioning effectively. • Documentation and Reporting: Output-based security often requires detailed documentation of security measures, as well as regular reporting on compliance and adherence to security protocols. @run2obtain
  8. Outcome-Based vs Output-Based Example with a CSPM Outcome-based Security Objective:

    Achieve a 50% reduction in high-risk misconfigurations within the cloud environment over the next quarter. This objective provides a clear, measurable target that aligns with the organization's goal of enhancing the security of its cloud environment. It also demonstrates the value and effectiveness of using a CSPM tool in achieving this outcome. Output-based Security Measure: Perform a weekly vulnerability scan on all cloud assets using the CSPM tool. This measure ensures that a specific security task is carried out consistently and that it aligns with industry best practices. It provides a clear, tangible action that contributes to the overall security of the cloud environment. Relevance: This objective is directly relevant to the use of a CSPM tool. The tool's primary function is to identify and help remediate misconfigurations, making it an essential component of achieving this outcome. Documentation: It implies the need to document the results of these scans, which is crucial for keeping a record of vulnerabilities discovered and actions taken. Risk Reduction: By targeting high-risk misconfigurations, the organization is focusing on reducing vulnerabilities that could potentially lead to significant security incidents. Compliance Assurance: Regular vulnerability scans align with best practices for security and compliance, ensuring that the organization is meeting industry standards. Continuous Improvement: Achieving this outcome requires ongoing monitoring and improvement efforts. It's not a one-time fix but an ongoing process of identifying and addressing misconfigurations. Risk Mitigation: By conducting these scans, the organization is actively working to identify and address vulnerabilities, reducing the likelihood of successful attacks. @run2obtain
  9. Outcome-Based vs Output-Based Example with a CSPM Outcome-based Security Output-based

    Security Target Metric: The specific metric being targeted is the reduction in high-risk misconfigurations. High-risk misconfigurations often represent significant security vulnerabilities, so reducing them is a critical security goal. Specific Task: The measure specifies a specific action that needs to be taken - conducting a weekly vulnerability scan. Measurable Goal: The objective is to achieve a 50% reduction. This means that by the end of the quarter, the organization aims to have half as many high-risk misconfigurations as at the start. Frequency: It outlines the frequency at which this task should be performed - on a weekly basis. This ensures regular and consistent security checks. Time Frame: This outcome-based objective is set over a specific time frame, which is the next quarter. This provides a clear deadline for achieving the goal. Tool Utilization: This measure explicitly mentions the use of the CSPM tool, emphasizing its role in the security process. @run2obtain
  10. Balancing Outcome-Based vs. Output-Based The Balancing Act Define clear objectives

    Align with business goals Use metrics for progress tracking Integrate compliance requirements Prioritize risk management Continuous improvement Incident response planning Maintain flexibility @run2obtain o While output-based security is important for establishing a strong security foundation, it is often complemented by outcome-based security, which focuses on achieving specific security objectives and reducing overall risk. o A balanced approach that incorporates both output and outcome-based measures is imperative for maintaining a robust cybersecurity posture.
  11. Thanks for coming this far ! What are you thoughts?

    @run2obtain https://www.linkedin.com/feed/update/urn:li:activity:7106395422947975168/ Seen my other posts ? https://www.linkedin.com/feed/update/urn:li:activity:7044716108204920832/ Share your thoughts and follow me for more interesting content !