CAASM Should Be an Early Security Investment in Every CISO's Playbook


It's possible to improve your security posture on a shoestring budget. There are a growing number of open source tools for security and compliance, but there are also key areas to invest in at the beginning of a multi-year initiative. Creating a baseline for risk-based decision-making is a prerequisite to scale security, which can include CAASM

“Adherence to the principles of CAASM can establish a secure baseline for security.”

CAASM is a key early investment for security programs because it creates a paved road for security - an idea introduced by Netflix to describe creating a path of least resistance for secure habits. Adherence to the principles of CAASM can establish a secure baseline for security, DevOps, compliance, and leadership teams by creating visibility into the entire ecosystem. Context-rich visibility is the basis for data-driven decision making at all levels of the organization.

CAASM is designed differently

CAASM - pronounced like chasm - is a natural evolution of security principles for asset inventory, CSPM, and other security guidelines in the market today. Unlike these predecessors, however, CAASM is tailored to highly-dynamic modern cloud workloads. It is the first answer for a world of workloads that are much more distributed, immutable, and ephemeral than yesterday's legacy systems.

The vast majority of modern organizations live and die by the principle of "move fast, break things." DevOps adoption is soaring in a world where every company competes on technological speed and agility. CAASM is designed to move as quickly as the release cycles and cloud architecture of the world's fastest organizations, to help security practitioners understand the true impact of fast-emerging anomalies and manage blast radius.

Why CAASM Should Be an Early Investment

Often, security leaders at the helm of a newly-established program are forced to make difficult decisions about controls. Security program resources can be severely constrained, and the cost of external security compliance audits alone are a major investment for many startups and small-to-medium enterprises (SME). It's common for security leaders to invest in some controls with clear intent to replace the technology as soon as it's financially feasible. 

“CAASM is an investment that can yield immediate value as an early investment at cloud-native companies.”

Decisions about how to maximize a security budget by adopting DIY and open source tools should be highly-individualized based on risks. But, CAASM is an investment that can yield immediate value as an early investment at startups, fast-growth organizations or cloud-native companies. 

If you plan to scale up your organization's security function or digital transformation efforts, the framework of CAASM is a key early investment.

1) CAASM Creates Cross-Functional Value

Security is an inherently cross-functional domain, but that does not mean it's simple to drive adoption of a fledgling security initiative. Newly-minted security leaders often struggle to get buy-in from product and engineering teams for administrative security efforts, especially if a new security program requires that developers change the ways they're already working. 

“CAASM can rapidly unify teams around shared security and compliance goals.”

CAASM can rapidly unify teams around shared security and compliance goals by offering distinct value to each team who uses the solution. It can be hard to justify another technology investment, but it's much easier to justify a purchase when it creates a paved path to security for security, product, and leadership. 

Here's a few of the most common ways that CAASM can deliver value to multiple internal teams and quickly:

  • Security teams can automate asset discovery and perform quantitative assessments of attack surface and vulnerabilities.
  • DevOps teams can create alerts for common cloud configurations and remediate anomalies.
  • Governance and compliance specialists can automate heavily-manual efforts to review access or assess critical assets.
  • Business and technology leaders can access real-time risk insights to understand their current risk profiles for stronger decision-making.

2) CAASM Moves Beyond Visibility and Gives Context

Visibility is a prerequisite for security, but visibility is not necessarily the goal of a security program. Instead, security practitioners should strive for observability. 

Visibility, to paraphrase Joe Vadakkan in DARKReading, can be achieved in many different ways such as "monitoring systems, networks, applications, performance, through-point, or several-point solutions and aggregating that data." Any given point solution for cloud security can create visibility, but a point system doesn't create ecosystem-wide observability. 

CAASM enables the correlation and analysis of data from multiple sources. Contextually-rich CAASM tools allow practitioners to create an active practice of data mining to be more proactive and thoughtful in their decisions. 

CAASM allows security functions to create context immediately and make decisions based on rich metadata that reveals configuration changes, blast radius, and the criticality of assets - even based on the sheer attributes of assets. CAASM helps security practitioners see and understand emerging patterns before they spiral into disaster.

Context should be the vision for any security program, since context is connected to continuous improvement.

3) CAASM Creates a Continuous Security Practice

Many approaches to both asset and attack surface management have been manual, time-consuming, and prone to human error. Quarterly system owner surveys aren't only laborious for everyone involved, they're unlikely to capture the full picture and rapidly become obsolete. CAASM allows organizations to create a continuous approach to security and compliance, and responsiveness in between quarterly and annual control assessments. 

“CAASM allows organizations to create a continuous approach to security and compliance.”

As organizations evolve away from waterfall development practices and stagnant legacy systems to continuous, cloud-native development practices, a security program that's based on periodic sampling doesn't make sense. It's time to evolve security practices to become more dynamic and responsive. CAASM offers alerts and contextual insights for more accurate, continuous security practices.

4) CAASM Drastically Reduces Compliance Burden

Traditional approaches to compliance are extraordinarily costly. Research shows the average enterprise spends over $10,000 each year per employee on compliance, while organizations in highly-regulated industries have seen a 60% increase in compliance spend in the past decade. 

Compliance can be a prohibitively expensive drain on resources for fledgling security programs, especially if security audits are treated as a distinct set of efforts from attack surface and posture management.

The future of compliance is continuous. CAASM allows organizations to put much of their compliance efforts on auto-pilot by offering real-time visibility into how systems, users, and configurations comply with both audit frameworks and internal policy. It can automate enormous percentages of efforts to collect evidence or assess controls, while allowing organizations assurance of their compliance posture between audits. CAASM is a key investment since it creates continuous, automated momentum toward both compliance and security, ultimately reducing the resource requirements to comply.

5) CAASM is a Clear Picture of Blast Radius and Risk

Threat actors don't rely on spreadsheets to exploit vulnerabilities. Instead, hackers generally use automated attack surface discovery tools to identify a company's most critical assets and navigate a carefully-planned set of steps to exploit human weaknesses, misappropriate user credentials, escalate privileges, and move through networks undetected. 

69% of organizations admit that they have experienced at least one cyber-attack that started through the exploit of an unknown, unmanaged, or poorly managed internet-facing asset, according to a recent ESG study commissioned by JupiterOne. While understanding the full scope of cyber assets is critically-important, the relationship between assets is even more important. Risks live in the relationships between assets, like users with privileged access to a sensitive resource, or a cloud bucket that's out-of-compliance with policy.

“Risks live in the relationships between assets.”

CAASM yields immediate value since it allows organizations to better understand risk profile and relationships between users, systems, components, policy, and risk. As threats and incidents unfold, security teams have an immediate understanding of true blast radius and can move quickly to remediate.

CAASM Creates Immediate Value

Virtually all security practitioners have to carefully weigh their technology investments, especially when they're first starting to scale up their controls. Decisions about whether to build, buy, or draw from open source solutions are challenging, especially in a resource-constrained environment. While there's a growing number of open source and free tools for security compliance, there's also some areas of key investment that can create enormous value early in a security journey - including CAASM.

CAASM creates immediate value and can be a valuable baseline for observability and response for security, compliance, DevOps, and leadership teams. While it's possible to attempt a DIY CAASM using homegrown solutions or open source tools, all alternatives have significant drawbacks. Investing in CAASM can create a paved road for security and a baseline for more proactive, data-driven decisions.

More about CAASM

The 3 Biggest Challenges of Cyber Asset Management and How to Solve Them
December 14, 2021   

2021-12-15 CAASM Definitive Guide - JupiterOne

The Definitive Guide to CAASM
December 13, 2021

CAASM is the Future... CSPM is Dead
September 1, 2021

Jasmine Henry
Jasmine Henry

Jasmine Henry is a security practitioner who's used JupiterOne to create a compliant security function at a cloud-native startup. She has 10 years of experience leading security programs, an MS in Informatics and Analytics, and a commitment to mentoring rising security practitioners from underrepresented backgrounds. Jasmine is a Career Village co-organizer for The Diana Initiative security conference. She lives in the Capitol Hill neighborhood of Seattle, WA.

To hear more from Jasmine, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

Keep Reading

Identify compromised versions of Github using JupiterOne
January 31, 2023
Identify compromised versions of GitHub apps using JupiterOne

As a preventative measure, Github will be deprecating the Mac and Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-

The top 11 questions that every CISO should be able to answer
January 30, 2023
The top 11 questions that every CISO should be able to answer

In part one of this two-part series, we polled some of our top security experts to see what it takes to succeed secure and manage resources effectively.

Best of Cyber Therapy, Season 1
January 25, 2023
Best of Cyber Therapy, Season 1

Take a look at the top 5 episodes from Season 1 of Cyber Therapy, a video podcast featuring the humans of cybersecurity!

15 Mar 2022
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.