"We want to help enterprises take a step back and take a comprehensive look at their security capability building level, and what security construction should be done most at the current stage? "
Measurement corresponds to clearer cognition. For enterprise security, this understanding is also becoming a new yardstick.
Author|Pi Ye
Produced | Industrialist
Starting in June, Lu Yiping began to appear frequently in various companies.
Along with him are colleagues from Tencent's security expert team. As the general manager of Tencent's Security Strategy Development Center, he is working with the team to help companies do a special job - security immunity assessment.
In his words, this is a process of continuous testing and verification. In the past June, Tencent Security held a digital security immunity research forum in Beijing, at which a model framework called "digital security immunity" was proposed.
Ding Ke, Vice President of Tencent Group and President of Tencent Security, said at the scene that in the new stage of digital intelligence, enterprises need to change from passive security to active defense, improve digital security immunity, and replace "treating the disease before it is already there" ".
What exactly is the idea of “treating the disease before it’s too late”?
Pulling back the timeline, over the past many years, Tencent Security has repeatedly appeared in many core security scenarios such as offensive and defensive drills, heavy security, and emergency response, serving a large number of large and very large customers in China. In the process , a phenomenon is also emerging quietly: that is, if an enterprise does not make up its mind to plan safety construction from a holistic perspective from the beginning, but responds to safety problems with troops and water to cover up, it will eventually be exhausted and safety construction will be exhausted. Get twice the result with half the effort.
It is precisely based on this perspective that the prototype of a set of "immunity" concepts has quietly formed within Tencent Security - that is, changing the past practice of trying to find a way to help enterprises systematically build their internal security immunity and improve their security. Risk resistance ability.
Three years into the epidemic, this prototype has become even clearer. Due to spatial and geographical reasons, when customers encounter urgent problems that need to be dealt with, Tencent's security expert team is often unable to rush to the scene during the process, and faces the challenge of "extreme operations" countless times.
The launch of the safety immunity concept has officially entered the countdown.
But while counting down, another more real question is, what is the immunity model that truly meets the needs of enterprises, and is Tencent Security confident about the methodology that has been initially condensed in many years of scenario services?
Lu Yiping and his team appeared inside the company, looking for the answer to this question. "We have two main purposes. On the one hand, it is to compare it with the immunity model framework we developed before to see if we have any problems and whether the company's feedback is consistent with the model test results; on the other hand, it is also to compare the company's performance with that of the same industry. Compare other companies to see what the differences are.”
Three months after the "Immunity Model" was first released in June, at the just-held Tencent Digital Global Ecosystem Conference, an evaluation tool called the "Digital Security Immunity Model" was officially released. Enterprises can use this automatic Test tools to complete digital security scoring tests for your own enterprise scenarios. This assessment tool covers most scenarios such as enterprise boundary security, endpoint security, development security, security operations, data security and business risk control.
what does that mean? "We want to help enterprises take a step back and take a comprehensive look at their security capability building level, and what security construction should be done most at the current stage?" Lu Yiping told us.
Measurement corresponds to clearer cognition. For enterprise security, this understanding is also becoming a new yardstick.
1. Security needs to be measured
Security, how is it now? "Many companies are still in the 'treat the head when they have a headache and treat the foot when the foot is a pain' model." Lu Yiping told us.
That's true. According to incomplete statistics, the proportion of Chinese enterprises' investment in network security is generally 1% of their information investment, while in other digital markets around the world, this proportion is generally 5% or even higher.
"Even many companies do not have a chief growth officer, but they must have a chief security officer." Ding Ke said.
The larger background behind this phenomenon is that with the deepening of digital construction, security has become an increasingly important proposition.
In a document called the 2022 Global Cybersecurity Situation Report, 65% of more than 1,200 security industry leaders who participated in the survey said they had seen attempted cyberattacks. is increasing; in addition, nearly half (49%) of businesses say they have suffered a data breach in the past two years, up from 39% in the survey a year ago.
In China, these data have sufficiently real industry expressions. If in the past many years, finance, retail and other related fields have been the highlands of network security, then now, including industry, retail, and even education and medical care, they are becoming areas where security incidents occur more and more frequently.
In addition, the focus of security is also changing. Lu Yiping's investigation found that many companies on the market today still focus on network security and terminal security, but internal development security, or security operation management, is at a very basic stage.
Why is this so?
"Nowadays, many companies have many people responsible for security, but each role has a different understanding of security. In the end, there is no systematic plan for security work and we don't know how to advance it." Ding Ke said.
That is to say, regarding the proposition of security, CEOs, CSOs, or more specific executives have different perspectives and ultimately reach different conclusions. The most direct manifestation of this difference is the financial investment in security.
This is also the reason why many large enterprises today are always in the mode of "treating a headache and treating a sore foot". That is, within the enterprise, the "technical language" of security lacks the expression of the overall enterprise perspective and the expression of the business level. From a top-level planning perspective, it is easy to enter a vicious cycle of constant “patching.”
For small and medium-sized enterprises, the basic performance of this kind of security construction is even more obvious. "Many small and medium-sized enterprises know too little about security services, such as data security. Many companies have no idea what data security and business security are. For them, security means firewall construction and security boxes." Lu Yiping said.
In fact, regarding the proposition that "enterprises are building security now", although there are many security models circulating on the market, most of them focus on the two points of "boundary security" and "endpoint security". There is no clear enough methodology for required data security, business security, etc.
In other words, what are the security capabilities that enterprises need to establish today? What are the priorities? And what about their respective metrics for large enterprises and small and medium-sized enterprises?
2. Immunity Model: “One Step Up” for Safety
These are exactly the problems Tencent Security is trying to solve. At this conference, an option was launched, which is the security immunity model evaluation tool.
The specific introduction is that enterprises can self-test through the security immunity model, and finally get a total score based on their own construction in endpoint security, application boundary security, development security, security operation management, data security, business security, etc. , to clarify its own safety construction level and "what level the company is at" from the perspective of the same industry.
In other words, compared with the "security models" on the market today, this set of tools not only includes inherent endpoint security and network security, but also pays more attention to the enterprise's security construction at the business and data levels, that is, the security protection of the enterprise's core assets.
This is exactly the "onion theory" proposed by Tencent today, that is, through layer-by-layer security verification from the outside to the inside, a comprehensive security score is finally given to the enterprise.
“We mainly want to help companies solve two problems: The first question is, where are the company’s security shortcomings? The second question is, what is the current security level and what level do we want to improve it to in order to solve the core business? Focus on the most important issues in your life and use security investment and resources on the most important things." Lu Yiping told us,
For large enterprises, the value of this set of tools lies in establishing a "unified understanding" within the enterprise. That is, through more intuitive language and problem expression, the business leaders of the enterprise can truly realize the importance and value of security. "In order to improve to at least the industry average level, or even a benchmark enterprise, what should we do? Or, what should we do first?"
In the past two months, this set of security measurement tools, which was extracted from Tencent Security's years of experience, has been continuously verified in actual scenarios. “For many large companies, their evaluation feedback is basically the same as our evaluation, but there will also be some aspects that companies have not paid attention to before.” Lu Yiping said, “Based on specific links, companies will Conduct targeted consultation.”
For some small and medium-sized enterprises, the feedback they gave is that this set of security measurement tools can help them establish a more systematic security awareness model, that is, how to achieve the best results "with limited funds". and "What should be done first?"
"For example, a financial client is piloting with us. We help them make a short-term plan for the second half of this year through the evaluation of the immune model, mainly to solve their current highest-risk and most urgent problems. Then based on these problems , we carry out corresponding deployment through products such as Tianmu and Yujie (note: traffic blocking and terminal security products respectively). The next plan is to continue to deploy corresponding products and capabilities on the endpoint side and terminal side next year. Construction.”
In Lu Yiping's words, the core value of this set of tools is that it allows companies to "take a step back" and truly measure the company's own security construction level from a global perspective, thereby clarifying the core tasks at the moment.
3. “Discover problems” and “solve problems”
But discovering the problem is obviously not enough. What is behind the discovery is the splitting and solving of the problem. As far as the level of safety construction is concerned, the solution to these problems requires taking appropriate measures.
According to Lu Yiping, through self-testing of the digital security immunity model, companies can be divided into four categories based on different security capabilities: expert companies, operational companies, tool companies, and companies that need to be improved.
Expert enterprises, mostly in finance and electric power, correspond to enterprises with higher self-test scores in the digital security immunity model. That is, from the perspective of various indicators, their security construction is at a good level. But in certain specific vertical segmentation scenarios, it still needs to be improved.
Tencent Security's approach is to support the "integration" of its own products, that is, enterprises can integrate Tencent Security's atomic capabilities in some aspects into the enterprise's own security system to complement capabilities, and then conduct better security operations and management. .
Operational enterprises mainly correspond to semi-Internet enterprises. Its typical feature is that compared with other enterprises that deploy systematic security platforms and purchase security tools in bulk, enterprises place more emphasis on tailoring, that is, conducting specialized security operations and data monitoring based on their own business attributes, and have more needs. It is to test the digital security immunity model to see whether it needs other tools, and to strengthen operations in specific processes, such as retail and e-commerce companies.
Tool-type companies often correspond to companies with relatively basic underlying security capability construction. That is, as a leading company in a certain industry, it has a strong awareness of security construction, but how to carry out security construction and how to integrate the internal security capabilities of the company? Making good use of existing security products and systems and establishing an efficient and linked security mechanism is a core problem for this type of enterprise.
Tencent's security solution is based on security hosting and is supplemented by expert diagnosis and corresponding tools to help enterprises build a complete security link.
Lu Yiping once made an analogy. "It's a bit like you bought a pile of bricks, but you didn't lay the bricks very well, so let's work together to help you lay them well."
The last category is companies that need to be improved. That is to say, compared with the first three categories, the construction foundation of this kind of enterprise on the safety side is relatively preliminary. Whether it is the organization of safety management concepts or the capacity building of the safety product system itself, they are still in the early stages.
For such customers, Tencent Security will not only provide product support for the enterprise, but also help with special consultation, such as helping them plan whether to build a separate security team, and whether to implement a special security system. There can be some clear division of responsibilities, etc.
"In today's network security services, more and more trends are beginning to emerge in the atomization of security capabilities and the service-oriented security capabilities." Lu Yiping said, "The atomization of security capabilities corresponds to the fact that products can support being integrated and combined, and security capabilities Capability servitization is based on final results and services, helping enterprises to do a good job in security."
Behind these two perceived trends are Tencent Security's own solid product and service capabilities. In Tencent's current security layout, basic security, business security, data security and many security services such as zero trust iOA, threat intelligence, Tianyu, and "SOC+" and other leading products have now become the first choice for many enterprises in the security construction .
In the recent "The Unified Endpoint Management Landscape, Q3 2023" (hereinafter referred to as the "Report") released by the international authoritative organization Forrester, relying on the advantages of zero-trust iOA in DEX (digital employee experience), risk control, etc., Tencent Security is even more Recognized and recommended by Forrester, becoming the only domestic security service vendor selected.
"After sorting out the needs and helping customers provide consultation and clear solutions, we sometimes help the enterprise security department do the final step." Lu Yiping told us, "This will include the support of budget, professionals and leaders. We will use Use a simple and intuitive 'weapon deduction' or 'sand table deduction' model to discuss with business leaders, 'If security capability building is not carried out, what risks their core business may face and the possible consequences' and other issues, The person in charge of the company can basically understand it at a glance.”
In fact, these details constitute not only security-based "diagnostic" capabilities, but also equivalent to an "operation" for the security of different enterprises. If you want to fundamentally solve the disease, you must prescribe the right medicine and tailor it to the situation.
4. Seeing a new ship in cyber security
"Capabilities have been accumulated before. These come from our previous lightweight consulting experience. Now we feel that the time has come, and this is the release of the immunity model evaluation tool." Lu Yiping told us.
From the perspective of current digitalization, the value of the digital immunity model is that as a neutral security evaluation tool, it constructs a ruler based on security evaluation in the current new digital era. This set of rulers can help enterprises "step back" In the first step, we should think about security construction in a sufficiently systematic and cutting-edge manner from a higher perspective.
In terms of specific product selection, although behind every security scenario and link there are solutions provided by Tencent based on its own products, companies can still choose on their own. "Including after the evaluation, if we need to help the enterprise with lightweight consulting on the security side, we will also provide objective suggestions to the enterprise. For example, if Tencent does not have the product capabilities, the enterprise can go to the market to purchase it by itself, etc."
Nowadays, these are becoming the norm for Tencent’s security team to provide external services. Even taking a closer look, this will become the new normal for the entire Chinese security market.
Barbarism corresponds to disorder, and order brings growth. That is to say, with the help of this new safety yardstick, both small and medium-sized enterprises and large enterprises will have a systematic understanding and emphasis on safety, and on top of this, a more stable and regular China will gradually form. Network security system.
In this new security system based on metrics, there will be products and solutions for specific problems, as well as enterprise security system paradigms such as how enterprises build security organizational structures and how to define security responsibilities, and more. There will be a secure service ecosystem with sufficient boundaries, openness and compatibility.
Today, this ruler is still evolving.
"It is expected that some scales such as the average score of the industry will be released later. If there is a scale, you can also connect with experts and some competent authorities; in addition, we will also cooperate with some research institutes in various industries. In the industry, we can really do safety consulting,” Ding Ke said.
It can be understood that this is also the special value of Tencent security.
In addition to technology, products and service solutions, it has also become an infrastructure role in China's security industry. This security-based infrastructure is not the open and compatible understanding of the development side of underlying technology, PaaS, etc. in the past, but is based on the entire The industry's new products and the reshaping of the demand framework have turned disorder into order and truly established enough tangible demands and standardized links in the security industry, thereby promoting the growth of the entire market.
"So, many times when we are doing security, we often think: What are you insisting on? Besides assets, what else is there? In fact, it is values. The essence of security issues is the issue of values." Ding Ke told us.