Terry Bebbington, Head of Security Services UK&I at Atos, explains how SIVO enables CISOs to gain real-time visibility of their security posture, uncover inefficiencies across multi-vendor environments and make data-driven investment decisions.

How does SIVO help CISOs get a clear view of their security posture in a multi-vendor environment?

The thinking behind Security Investment Validation and Optimisation (SIVO) is about addressing a challenge I’ve seen in the industry for years.

CISOs, CIOs and IT leaders are challenged to understand the value of their cybersecurity technology investments today and tomorrow in a threat environment that isn’t static. Let me explain further.

The pack mentality doesn’t work. When it comes to security spend, we tend to rely on industry benchmarks, for example, security spend as a percentage of revenue or as a percentage of overall IT spend.

That helps you benchmark yourself within your peer group, but the problem is that being “in the pack” doesn’t really mean much.

Threat actors don’t care if you’re aligned with industry benchmarks – they’ll still go after you.

Another issue is that these benchmarks usually use IT spend as the common denominator, but in most enterprises today, the spend is much broader.

You’ve got digital enterprise, IT enterprise and shadow IT, so the basic maths behind that benchmarking can be flawed when considering only IT spend to base the spend analysis on.

And, of course looping back to my comment regarding the value of that spend; more doesn’t necessarily mean spend effectiveness.

That’s where the design thinking for SIVO came from: It’s about understanding the effectiveness of the security technology spend, real-time.

A final comment on the security spend benchmarking is the asset management challenge – or more specifically, understanding inherent security technology investment in a technology environment that has evolved over-time, has a multi-supply base and is normally an inherited portfolio for a new security leader.

One of the key challenges a said security leader must overcome in their first 100 days in role is to understand or baseline what they have inherited and in a large enterprise with multiple technology siloes, suppliers and businesses, it can be a daunting and a time-consuming exercise.

So what do a lot of security leaders do? Outsource the challenge and bring in a third-party consultancy firm to perform an audit or maturity assessment, which often doesn’t consider the effectiveness of the security technology spend, but rather focuses on binary questions of control functions, capabilities or competency towers against a rating model – CMM typically – with industry benchmark data as the proxy for effectiveness.

From my perspective, whilst benchmarking and specifically maturity benchmarking is a tool for arguing for new budgets, it doesn’t address the effectiveness of an organisation’s deployed security tooling.

To further compound the challenge for security leaders, the estates they’ve inherited are typically ecosystems of built-up platform technology solutions with duplication and very limited understanding of usage or performance.

This is where SIVO comes in. SIVO’s primary objective is to give security leaders confidence in their decision-making in terms of security tooling effectiveness and efficiency.

I’m a firm believer in providing our clients with real-time data to make both tactical and strategic decisions of where to invest or divest their hard-earned security dollars, euros or pounds.

Having a capability within a security leader’s armoury to understand how effective their security posture is day-to-day is a no-brainer for us.

An added benefit of the SIVO offering is it is designed to be understood by non-security leaders too, so a CISO can provide access to the platform to other parties, e.g., CIO, Procurement or the wider executive team to provide them assurances that their investments are providing adequate protection.

We’ve found clients that leverage SIVO find it invaluable in cutting through the noise and providing them insights that have typically taken weeks to discover.

What inefficiencies or overlaps in security tools does SIVO uncover?

When we sat down to design the offering, we looked at how the industry was approaching it.

In a previous role, I helped security leaders choose the right partners and investments, but it was all spreadsheet-driven – benchmarks, threat assessments, simulation models – all very point-in-time.

There was no platform capability to continuously model spend effectiveness.

That’s where our partnership with ESPROFILER, a UK-based cyber start up came in.

This partnership helped shape SIVO’s roadmap to become a dynamic model that can keep pace with organisational change.

It helps organisations understand where security budget is going, whether they’re getting value, where there’s tool or feature duplication and how contracts align with renewal cycles.

So, you can make informed decisions about when to divest or reinvest, all modelled in one place.

Let me simplify it. Imagine two vendors, say, CrowdStrike and Microsoft, providing an EDR (Endpoint Detection and Response) capability in an enterprise.

SIVO maps and models those tools against specific threat groups techniques, for example ransomware attacks. It then models whether each tool actually protects against that threat or has the right or same features enabled.

If both do, you can see potential cost savings through consolidation. If neither does, you know where your gaps are.

This example is very binary and simple to explain the point, but the real model is much more sophisticated and is enabled by the modelling algorithms in the platform which are constantly being updated due to the complexity of the challenge it’s designed to address.

Fundamentally, it shows our clients where they have good protection coverage, tooling duplication or threat exposure gaps, giving a clear view of how to optimise investments.

We have seen examples of three or four different vendor technologies deployed in an environment to provide the same functionality, which enabled the client to consolidate their supply base and make savings whilst not increasing their threat exposure.

The platform is only as good as the data going into it.

Our role at Atos is to make sure the data is accurate, relevant and comprehensive.

There are three key inputs: Product data – your inventory, such as the products, services, partners and agreements you have; commercial data – your contract terms, spend and timelines; threat insights data – we aggregate around 300 data sources daily.

That’s how we build a holistic view of a client’s threat landscape, potential threat exposure and investment effectiveness.

How does the service help CISOs justify new investments while reducing technical debt?

The core principle of SIVO is giving security leaders confidence to make informed, data-driven decisions rather than relying on outdated reports.

You build a full picture of your threat landscape, identifying coverage gaps, exposure and priority areas.

You can model different threat scenarios (like insider threat) and see whether your current configurations, deployments and vendors cover them.

That helps leaders decide whether to divest, reconfigure or invest and see the impact of those decisions in real-time.

Instead of a maturity report saying, “you are level two, aim for level three,” SIVO shows exactly what that means in practice – whether that’s better configuration, a new capability or re-allocating spend.

Ultimately, it’s about empowering decision-making based on live data, not static assessments.

How does SIVO prepare organisations for future cyber-threats?

The first step is data onboarding. We typically have a two-week onboarding period to bring product, pricing and threat intel data into the platform.

Once that’s in, we can start delivering insights almost immediately – usually within two to three weeks.

Some organisations start with a single region as a proof-of-concept before scaling enterprise-wide.

Either way, the insights are actionable very quickly.

We’ve already done this with several large financial organisations and while they don’t rely on it blindly, they use it to inform and accelerate their decisions.

In simple terms: “If we do this, what does it mean?” That’s what SIVO answers – and there really isn’t another capability doing that right now.

This article was originally published in the November edition of Security Journal UK. To read your FREE digital edition, click here.