Before making any decision that affects an enterprise, its decision-makers should assess the enterprise's posture: posture of its security, risk exposure, third-party products’ and services’ risk and efficiency, employee efficiency, asset utilization efficiency, vendor and product reputation, etc. Accurate assessment is mandatory for making optimal decisions and avoiding failures.

And yet, the assessors should realize that every assessment of an enterprise’s posture is modeling. It is a modeling because the assessment is NEVER fully realistic, but always an approximation, i.e., an assessment is a model of a real enterprise. Such an approximation can be quite far away from reality, causing enterprise leaders to make wrong decisions, which lead to monetary losses, reputational damages, and security breaches.  It is critical for an assessment/modeling to be as close to reality as possible.

Assessment/Modeling Problem: Not Enough Data or Too Much Data?

Why is every assessment an approximation? At least, for these two main reasons: 1) There are not enough assessment points or 2) There are too many assessment points. This is not a joke or exaggeration, but the truth.

Not Enough Data: There are never enough assessment data classes and data points to assess the enterprise fully. Let us look at these examples: a comprehensive assessment of a security posture requires assessing application security posture, network security posture, data security posture, etc. Detailed assessment of each of those postures brings in more details: For example, assessing application security posture requires conducting application security code analysis, runtime application security analysis, software composition analysis (discovering malicious open-source components), etc. The same is true with other security postures. A deep dive into each posture requires additional analysis, which exponentially increases data classes (i.e., types of the analyzed data, e.g., code security vulnerabilities, OSS component vulnerabilities, runtime configuration vulnerabilities, etc.), which decision makers should consider. Needless to say, the number of data-points (collected instances of each data class) is also increasing exponentially.

The task of collecting data classes is expensive and complex. Practically, the number of data classes collected by the enterprise is not fully sufficient to cover all aspects of an enterprise. Thus, some aspects of the enterprise’s posture are not covered at all or not covered sufficiently. How many data types do we need for the posture analysis? Practically, fewer than we can get!  That makes the assessment an approximation of reality, and often, a quite distant one at that.

Too Much Data: There are too many assessment points that are necessary to capture an enterprise’s posture, therefore enterprise decision makers are lost in the ocean of data classes and data points. Unable to handle such a variety and volume, they use a few out of many, limiting the number of data classes and data points within data classes, thus making arbitrary decisions that often prove to be suboptimal. How many data classes and data points do we need? Ideally one. At most, just a few!

Solving the Dilemma: Too Much Data or Too Little Data?

Finding the balance between these two diametrically opposed approaches – Too Much vs Too Little – is a problem that should be resolved. We argue that the balance could be found if the massive variety of data classes and data points is balanced by a single assessment score, like a FICO score in finance. We mean that enterprises should be collecting a massive variety of data classes covering all enterprises’ aspects yet assessing the posture with a single score. The single score will enable an easy grasp of the enterprise’s posture. At the same time, the score should be composite, allowing decision makers to drill into specific aspects of the enterprise posture.

The score will indicate the trends whether the enterprise’s posture (security, risk, asset utilization, employee efficiency, etc.) is improving or declining. That approach would enable enterprise decision makers to make accurate, optimal, justified decisions regarding the enterprise’s transactions and operations, such as M&A, cost reduction, asset acquisition, and DevSecOps.