Glossary

“Shadow risk” is the risk associated with the unknown assets within an organization’s attack surface. Shadow risk includes the assets and attack vectors that are part of the organization’s IT ecosystem but may be unseen or unmanaged by the organization because the assets are in cloud, partner, subsidiary and abandoned environments. It is a risk that most organizations are blind to, but sophisticated attackers can easily exploit.

In cybersecurity, the phrase “shift left” refers to the process of focusing security practices as early as possible in a given activity or process. “Left” is a reference to the idea that a timeline runs from left to right, with “earlier” to the left, so “shift left” means to start earlier. This is analogous to the principle that “an ounce of prevention is worth a pound of cure,” meaning it’s better to catch problems earlier when they are easier or cheaper to fix, and their impact is lower. For example, for software security testing, it means beginning the process when the code is first being written, or performance tests are being run, rather than waiting until it is deployed into production.

In cybersecurity, “left” also means earlier in the cyber kill chain or to the Mitre ATT&CK matrix; deploying defenses early and proactively in the process. This moves the organization to a more proactive stance so they can stop an attack before it starts.

Supply chain risk can be thought of as a specific type of third-party risk, where the risk stems from the fact that vendors and partners in an organization’s supply chain increase its attack surface yet the organization may not have sufficient visibility or awareness of the suppliers’ security posture.

A company’s digital supply chain is unique in several ways and likely mission critical. IT service providers and other IT vendors may have different cyber security risk tolerances than their partners, or be smaller companies that have been unable to consider security at the same depth as their clients or other partners in the supply chain.

Organizations that are part of the supply chain but have poorly secured systems, abandoned assets, or misconfigurations that attackers can find create risk for all participants in the supply chain. It is not uncommon to have thousands of IT vendors in an organization’s supply chain. The complexity that digital supply chains create with respect to cyber security risk have been evident for several years, with one of the notable breaches occurring in 2013 with Target and one of its supply chain vendors.

A security rating service (SRS) performs an independent assessment of an organization’s security posture based on third party data from threat intelligence feeds. These feeds consider externally observable and safety factors based on publicly available information.

The rating is designed for general guidance relative to the security posture of other organizations. An SRS is not typically used for a deep security test and it doesn’t replace attack surface management. In saying so, it’s a fast, consistent, and valuable method for receiving a high-level number suited to comparisons with other organizations.

Security testing checks software to reveal vulnerabilities in security mechanisms and determine whether data and resources are protected from threat actors. It’s a type of non-functional testing focused on whether the software or application is designed and configured correctly.

The test provides evidence on the safety and reliability of software systems and applications, such as not accepting unauthorized inputs. Different types of security testing include vulnerability scanning, security scanning, penetration testing, security audit, and risk assessment.

Security theater is the practice of performing security processes or maintaining security solutions that make people feel more secure without actually improving security. In cybersecurity, security theater may be the result of maintaining old, outdated tools and processes that were effective for the threat environment when it was first conceived.

These efforts have proven to be ineffective or have become less useful over time, and now do not provide enough visibility into the risks the organization faces. Many organizations continue to do what they have done in the past even as these activities provide insufficient visibility to overall risks.

An organization’s security posture is the collective measure of the effectiveness of its cybersecurity. Assessing security posture involves testing the security of your IT ecosystem and its susceptibility to outside threats. Baseline security posture assessments help organizations map improvement and investment plans for protective measures that are not appropriately aligned to the organization’s risk tolerance.

Shadow IT is the use of web apps, cloud-services, software, and other IT resources without the knowledge of an organization’s IT or security teams. There may be hundreds or thousands of these resources and services used throughout an enterprise that have been provisioned by lines of business, individuals, or third parties without being vetted or deployed by IT or security teams. The prevalence of this self-service IT introduces new security gaps that could put the organization as well as customer data and systems at-risk.