Name: The 2026 Mandate: From Compliance to Demonstrable Trust
Uploaded: 2026-04-16T16:56:07.848Z
Duration: 34 min 16 s
Description: The 2026 Mandate: From Compliance to Demonstrable Trust

Transcript for "The 2026 Mandate: From Compliance to Demonstrable Trust": Alright. Welcome, everyone. First of all, I wanna wanna thank everybody for, your time here today. Got a really fun topic that that I wanna spend some time on, which is essentially how to bring measurement and, tracking toward outcomes to your security program. I I'll I'll start off with, a bit of an introduction. My name is Matt Williams. I'm one of the directors of product management at Exabeam. Been with the company for for going on fifteen years now, you know, in product management for about ten of that. So I've owned lots of different areas of the platform. And and through that journey, coming to own this area of the of the platform called outcomes navigator has been really, really fun. I think this is, one one of the most, impactful areas that that I get to spend time on. So really excited to to share some of the the, you know, thought process behind Outcomes Navigator and, how you can take advantage of it, how it can help, improve, your your posture in a security organization. Wanna say before we get started, if you have questions as we go, go ahead and drop those in the q and a and, we'll we'll try to, pick off some of those as we go or answer things at the end if we don't have time. So with that, let's go ahead and, kind of dive right in. Just to kind of help set the stage here, you know, I I think this is a really apt quote for this particular problem. You know, an awful lot of, kinda how to make improvement in, in a security organization is just kind of finger in the wind. Like, you know, kinda seems like we should spend our time over there or somebody drawing on past experience, but, you know, really to do this the right way, this quote says it all, in God we trust, all others must bring data. I I mean, that's the hard part here is how do you get that data to be able to make decisions and and prioritize off of that. Security has never had more data, but data doesn't always answer questions. You've got to draw the insights from that, to to get to the right conclusion. So to even more, clearly frame this problem, let's let's look at some numbers. So, you know, well over three quarters of directors classify cyber issues as business risk. However, there's a big gap between that and, you know, maybe half who feel like they really understand those issues well enough to get their hands around it, to to actually take control and and drive improvement. Somewhere north of of half are saying they're struggling to actually understand that risk and communicate it effectively to the board. And, a very small percentage, you know, 15% in that ballpark, actually try to measure the financial impact of that cyber risk. This is a a really hard problem tying risk. You you don't know the, like, theoretical financial, impact of a given incident. But the closer you can get to that, that's the language that the board can speak. That that's something that will resonate, across an organization is saying, here's the here's the potential financial impact of our current posture, and then you can turn that, that improvement, that that hypothetical improvement into, this is the financial impact of investing. This is the ROI, which suddenly becomes a a much different conversation from a a business and a board perspective. So, let let's kinda dive, a a a layer down. So most organizations are are really good at collecting kind of the the basic metrics. They know how many alerts they're actually receiving. They know how many incidents are getting tracked and closed. They know how much data is, you know, just being fed into a platform. They're probably gonna have some level of metrics around, you know, how long things are taking to go from the the top of the pipeline to the bottom. You know, how how what's what's the throughput? How many of these are we doing? How long does each one take? And then you you can say, alright. Well, if we expect this level of of growth over the next quarter, the next, you know, year over year, that kind of thing, here's how many more analysts we're gonna need. Or here here's the kind of tooling that we need to bring in to to drive down those times so that, you know, we we've got adequate coverage. Very reactionary metrics. You can do planning, but, you know, you're really saying, you're really making this a a a very simple math problem or or oversimplifying things. Meanwhile, the boards and and and a lot of executive leadership are asking different questions. They're not asking for how many alerts are are, you know, being seen by the security team. They're actually asking, okay. Are we better protected than we were before last quarter, last year? In what areas? You know, what what's our exposure to phishing, to ransomware, to insider threat? How do we compare to others in our industry? You know, the the old adage of, like, you you don't have to have the impenetrable lock. You just have to have a lock that's better than your neighbors. Right? Because if you're not the low hanging fruit, then a a lot of attackers are gonna go elsewhere. And and then, you know, if we make some investment, how does that actually, improve our coverage? Right? What's the ROI on on that investment? What's the return that I'm gonna see from it? These are hard questions to answer, but that's what we're gonna try to to get into, here today and and how you can answer those with, with outcomes navigator in in New Scale. So let's go through a couple of the challenges that, that we see organizations tend to face. You're probably going to to, you know, have seen a few of these in in your own organization. The the first one here is, very closely aligned with the the couple of, you know, points that that we just talked through. So, you know, in in the realm of half of cybersecurity leaders have tried to map, their their risk, have tried to map their coverage to risk to say, you know, here are the metrics that we're seeing. I I'm gonna try to to to, you know, funnel that into a level of risk and communicate that. And and half of them who have tried to do that have actually failed. The metrics didn't hold water. The the metrics didn't land. They weren't the right metrics. The the linking between what's being measured and and that that theoretical risk, just isn't isn't strong enough that it was, something that that you could effectively communicate or or that told the right story. You know, just like it says on the slide, that executive team is not interested in the raw throughput. They don't want the metric data. They want the insight. They they they wanna map it to the the risk and how are we mitigating risk. So, this is this is a big problem that, outcomes navigator, helps to solve. We we kinda briefly touched on this, but security programs have a really difficult time, tying risk to investment or or maybe better said, communicating the the the, like, quantifiable impact that an investment will bring to mitigating risk. So it's it's easy to say, okay. If we bring in vendor x, here's what that costs. Right? Like that that's I can get a quote. I can I I can I can easily go figure out what the cost is? What's much more difficult is saying, what's the measurable impact of that on, the mitigation of risk? How much better protected am I against, you know, threat x? Would I be in the future by making that investment? So if if you don't have a measurement of where you're currently at from a a risk and use case coverage standpoint, then it's very difficult to say, if I were to make this investment, this is what my coverage becomes. This is how much risk I have mitigated and therefore, actually make that that ROI calculation. This is what really leads to, the the point on the slide here of security is considered a cost center rather than a strategic function that can make, you know, meaningful, positive impact on a business. And then, the the third challenge here is, for organizations with tools that have, some measure of risk built in, there really aren't standards around the the benchmarking that's available. So, the analogy that I I I very often make with this kind of problem is when you have that risk calculation, when you have that coverage calculation, it's it's gonna give you a letter grade or a score or something like that. That's an awful lot like your credit score. Right? So, at least for for those for those of you in The US, that's probably gonna land. If you're not in The US, maybe maybe it warrants a little bit of context of, you know, this credit score is is essentially like a a measurement of my risk as a borrower. Right? If I wanna go to the bank and take out a loan, that credit score is saying, how likely am I how how big of a risk am I in, in in that financial institution lending me money? But when I look at that number, it's just a number. It feels like an arbitrary number. And and the first thing you wanna do is say, well, is that good or bad? And a and a good way to do that is how does it compare to my peers, to those around me who are who are similar to me? How do I make it better? What are the things that I actually need to go do if I wanna improve that and show that I am lower risk? And the same problem exists here. Just because you have those numbers and and made, you know, the the metrics, the raw underlying metrics, or potentially the the kind of coverage and risk score, it it's not enough to say, okay, I've I've got a I've got a number. Right? My number is x. There's no context. That that doesn't mean anything unless you can say, and that puts us at, you know, x percentile in our industry or, here's how I drive that number. You know, this is the level of investment that I need to make to drive that number to where we think it needs to be. So, if if you don't have that context, just like it says, those metrics may not mean anything even if they're accurate and even if they're useful. When you don't have the context, it's it's very hard to use that to to communicate effectively. AI, as one would expect, has made this so much more difficult. Right? The, you know, AI, is is insecurity kind of part of this arms race where, we know that bad actors are are using AI tools to iterate faster and build, you know, more more targeted attacks, you know, build build attacks at greater scale, things like that. And on the the, you know, countermeasure side, AI is is being leveraged for detections, for accelerating workflow, for, in some cases, automating some some parts of, the the investigation and remediation process. There are still a a lot of organizations that are, kind of stuck in in, you know, the the the two thousands or the 20 tens when it comes to, the metrics that they gather and and the way they operate their their security program. And and AI has has just made this so much more complex when you you've got attackers that are, iterating as as quickly as they are and, and and, you know, attacking at even higher volumes and, you know, it's really, like, raise the bar on the the you know, we used to think of things as, low complexity, high volume or high complexity, low volume. And and what this is doing is just raising both of those numbers. Like, you you can increase your volume and you can increase complexity, in in the attack when, you know, AI tools are in play. So so getting a handle on, you know, AI as an attack surface, has made this this kind of coverage problem even more complicated. So what does it look like to be a, a high maturity, a high maturity security organization? What does a high maturity program do that is different from a a low maturity program? These are things that that you would largely expect, but, you know, it it's really this maturity curve of, you know, on on the low end, you're you're measuring volume. You're looking at how much data is ingested, how many things you have to respond to. As you go up that curve, you start to look at, the performance of the team and the tools. You you may set benchmarks internally. They might be guesses, but as long as you're measuring it and you're you're putting a goal out there, it's kind it's kind of like agile methodology. You you come up with a way to estimate and and to, predict how the next, you know, quarter or iteration of of work is gonna go and then track toward that that estimate, toward that guess, and then you try to get a little bit better every time you say, okay. We can we can we we've learned enough that we can estimate better, and we're gonna try to improve our efficiency over time. So that's kind of that that middle maturity. High maturity will then kinda close the loop and say, we're going to to try to measure coverage, we're gonna try to quantify risk, and we're gonna try to, to to predict how we can mitigate risk to to, you know, really close that loop on, I'm looking at the outcome. I I'm I'm making a prediction or or I'm setting a target at the outcome, which is risk reduction, and and then use the metrics to support that decision along the way of, you know, where is the bottleneck? What what's gonna make the biggest improvement in in risk mitigation? So the questions that that you ask, and if you're a high maturity organization, you can usually answer some or all of these. And it's not just are we safer than last quarter or last year, but, in what areas? You know, have have we improved as an insider threat organization? Have we improved in, our our coverage against common attack types like ransomware or or other types of malware? Where are our weaknesses? What what do we know that we're weak against? It's naive to say, oh, we're we've we've gotten great at everything. We don't have to worry about it now. A good organization is gonna know, you know, we've improved in these areas, and that means that these other areas where we haven't spent as much time, we're just lower on the curve still. And then if we make these investments, what will that actually improve? Right? What what's going to be the the net result of making, you know, any any given investment? So the the goal of, outcomes navigator is really to, dramatically simplify a lot of that calculus and say, we're going to to add up the security coverage and show that to, you know, to that user so that they can really easily say, here are the areas where I'm strong, here are the areas where I'm weak, here's how things have trended over time, Here's where I probably need to go invest and provide the tools to say, okay. What if I did that? How would my coverage probably change? This then makes it so much easier than than it is without this kind of tool to say, you know, I I actually can measure, the impact of, of different things, changing SOC processes to, to to, you know, make certain types of of triage and investigation faster, bringing in different types of tools, putting certain types of detections in place. You can actually measure that impact and and predict, the the impact of, you know, similar changes. It but all of a sudden makes the, the investment in some of these insights defensible because you can show the math behind it. You can say, here here's here's what we think. This is where we're at. Here here's our hypothesis. Let me show you the data that led to that hypothesis. That's something that that, you know, unless you're at the very highest end of that curve, is very, very difficult. You also get to then be a little more strategic. It helps you be more strategic because you're you're, you're planning for the areas of weakness. You're planning for for investment in those areas, to to help fill in those gaps. So let's get into some detail on outcomes navigator so I can kinda show you what some of this looks like. I think we'll probably have a a little bit of time for, for some demo as well. So I'm gonna show you show you some of this in action. So to start off with, you know, outcomes navigator just at a very high level is really there to to take the the, you know, the technical coverage. Like, we have detections in place for x, y, and z and and roll those up into use cases and then map the you know, track the the coverage of that use case at an organization level. You can do this using, what's on the screen here is Exabeam's kinda use case breakdown, and MITRE ATT and CK. You you can use both simultaneously. You can really think of the use case view as kind of a a a distilled version, a simplified version of MITRE ATT and CK. That was really done intentionally because a lot of organizations just aren't at the the maturity level of fully adopting something like the ATT and CK framework. It it takes a lot of time and effort, and we just know there are a lot of organizations out there where that's not the alligator closest to the boat, is to is to, you know, fully pull out MITRE ATT and CK. So let's see if we can simplify it and and help push forward in that maturity curve, and and then you can still adopt MITRE ATT and CK down the road. This is an objective score. So we're we're looking very clearly at, you know, individual detections. Is the data in place to satisfy that detection? And then, you know, generating a score off of that. It also does a really good job of helping helping you to trend over time. So, you know, for a given use case, here's where I am, where was I last quarter, you know, are we are we going the right direction on any one of these. That even kinda shows up a little bit a little bit better here where you can see that score, that trend over time, and and, you know, then the benchmarks on top of that. So like I was saying, that that number, that 57 that you see on the screen for this use case coverage, in a vacuum, what does that mean? Well, I can see how it trends over time. I can see that, you know, it's it's down a little bit from where it was maybe a few months ago. But I can also see, for my industry, for organizations in a similar size, I'm actually a little ahead of the game. Now they're closing the gap. Right? Like, that that's pretty clear in here, but I can tell that, you know, okay. At 57, somebody could easily go, oh, you you got an f. You know, that's not good. But actually, like, for for this particular use case, that's really not bad. That that puts me, ahead of the average for my industry. So bringing in that context is really important. We're we're doing a similar thing for compliance. Because if you think about what MITRE ATT and CK and, this use case framework are meant to do, it's taking detections and mapping those back to controls. In this case, use cases or techniques or tactics, but but there are controls similar to how NIST, is a control framework and PCI and HIPAA and other other compliance frameworks. So you can do a similar kind of exercise with just a different lens on on the content really. And then, recently, we've added, kind of an a new attack surface here in, AgenTek AI security coverage. So something that that organizations weren't really dealing with, maybe a year ago, a year plus ago. Now this is something that that's, you know, at the absolute forefront as we know, employees are adopting AI tools to to to do things faster or do things that they couldn't do before, well, that AI agent now becomes kind of an agent on behalf of that employee, and it has permissions. It has data access. It has, you know, external real world outbound access. So because of that, you have to treat it like part of the attack surface and, you know, track the same kinds of things. Are we are we protected against these agentic threats? So, we'll we'll get into this in the demo, but, a a security team would adopt outcomes navigator in a few of of these key ways. Things like generating board reports or executive reporting, understanding where the weaknesses are and how investment in certain areas of certain levels would, would improve coverage. That way you can you can kind of, you know, identify the highest ROI. And then doing some of that that, research gathering for strategic decision making. I would not say that, you know, the AgenTic AI should be making decisions for your security program, but it is very good at at kind of surfacing the information to help you make the decision to to go do the research and, and make some comparisons. So, let's see if we can take a a quick look here. I will see if I can figure out how to pull up the screen share. Alright. So hopefully, my screen is becoming live. I think you can see it now. So this is outcomes navigator. Just one of the applications within the NuScale platform. It is available to, SIM and, NuScale analytics customers. So if you're a a customer of NuScale, you have access to outcomes navigator. This is the use case view. I also mentioned this MITRE attack view. They're they're both available. So you you can kind of adopt those as you choose. Peer comparison is configurable in here. That's what populates the different, metrics on the graph here. So this is where I can see the the trends and and how I compare, if my industry is catching up or if I'm, if I'm, you know, pulling out front. The upper right, we've got, the, the Nova advisor agent, AI summary. So we always kind of put a a TLDR in here. You know, here here are kind of the the thirty second overview of, you know, areas that are declining, areas of weakness, consistently low coverage representing gaps, those kinds of things. So just trying to to put a real quick summary in front of the user. And then the actual use case matrix down here as well. So it's really easy to tell, what are the use cases where where coverage is very strong, what are use cases where coverage is weaker, and then let's let's actually get into the details. Let's let's take a look at some of this. So if I wanna understand, hey. I see the brute force attack is pretty low. Give me the context around that, and what do I do about it? Well, now in here, we can see, the the specifics. So we've been consistently low in in brute force attack coverage. We can also see that we're a little behind the industries in this case, the the set that I have configured in here. And then it will, essentially show you why is that the case and what do I do about it? The the the kind of next questions that an organization is probably going to ask. So in this case, and and this is a really key point for outcomes navigator. This is something that that's really a little bit unique. So if I open up, this analytics rule drawer, in here you can see, there are 13 analytics rules that map to this use case, and only one of them is satisfied. What does that mean? So this is actually highlighting kind of a classic security analytics, security operations, tool, fallacy, I would say, which is, I can come into a tool like this and just turn on all the detections and say, good job. I, you know, did it. Mission accomplished. Right? Hang the hang the banner. But what I've actually done is given myself a false sense of security because I've turned on all the detections, but I never spent any time to actually figure out if those detections will work or not. Do I have the data being fed into the platform that would ever allow those detections to fire? And what this highlights, through this low score is that of those 13 detections, which are all turned on, actually, only one of them is probably ever going to fire because we don't have the data fed into the platform to satisfy this detection logic. You know, could be things like, you know, password retrievals. So these are probably relying on a password vault, and I probably don't have that data source fed in. You can see things like, you know, a rule that's designed for Windows systems, but this isn't a Windows shop. They have Mac and Linux. So those rules are turned on, but they're just sitting there spinning. They're not gonna do anything. Can can be a a litany of different reasons, but what this is highlighting is there are multiple reasons why a rule may not be satisfied. It could just not apply to the organization, or maybe the right data just isn't being fed in or or enabled in configuration, or that rule needs to be tuned so that it it works properly, different things like that. That's what this is really meant to highlight to say, somebody needs to go look at those 12 rules that are unsatisfied, figure out if that's accurate. Like, should that be the case? Hey. This really just doesn't apply to us. Okay. Turn it off. This one does apply to us. Okay. Let's figure out what data is missing so that we can make that use case, behave the way it's supposed to. So, real real quick tour of kinda some of the bones of outcomes navigator. But I also wanted to highlight, you know, I I touched on this summary. There's much more data in here highlighting things like where's the organization strong so you can, again, validate that that investment is is paying off. Where are the weaknesses? Where are the gaps? Where are things declining? And then recommendations that will, look for commonality. Hey. If you enable this type of detection logic, you bring in this type of data, it's not just going to, map to a single use case necessarily, but, a new type of data may enable, detection logic across many use cases. In some cases, you're gonna find some quick wins there or strategic investments that, doing a little bit of work can increase coverage, across the board. So a handful of of priorities there. Again, this is AI AI generated. So, you know, every time it regenerates a summary, it's gonna, you know, come come up with a new set of findings generally. We also have some kind of longer term, strategy recommendations in here that may even, may even go outside of, of, you know, the usage of the tool and the data being fed into it and things that are more at the program level. So how how do you actually become more mature and improve coverage at a, program level, not not just within NuScale? And then beyond that, we start to get into, the tools to do some of those what if scenarios and and things like that. So, you know, I can ask some relatively straight straightforward questions in this adviser agent. Things like, how would I improve my brute force attack coverage. Right? So the one we just looked at, we found a number of rules there that were unsatisfied. So it's gonna use that information to come up with some recommendations. Could be, well, we don't have to go into could be, but, you know, the the report that it generated, actually had some priorities in there that would help. Let let me restate those for you. Beyond that, here, here are some things that you can do. You probably don't have the right data sources being ingested. This is what we were just looking at in that rule set. Alright. You don't have password vault data being fed in. So, you know, some of those rules are are just not gonna work in in your environment. So lots of different recommendations in here. I've had some feedback that it's maybe a little too verbose, and and we can start a little more concise and then let the user ask for more detail. I I tend to lean on the side of let's let's give the user the information, and and they can they can choose to, take from that what they want. And this is also where you can do some of that that what if scenario. So, you know, how would my coverage be impacted if I onboard, you know, an EDR vendor? If I've got more data coming from the endpoint, how how would that impact coverage overall? Things like that. So, obviously, it's gonna come back and say something like, oh, here are all the use cases where it's, you know, where where things are gonna get better. It's so it's highlighting, use cases where where it will improve, and and, you know, where the score is today. It's not gonna go to the level of, here's what your score would be afterward because that I mean, you can try to make that kind of prediction, but, that starts to get a little bit dicey, to make make that specific of a of a prediction. But hopefully, that serves to illustrate kinda, you know, the the purpose of each one of these tools and, how how outcomes navigator can, can help an an organization improve. So I think with that, we can just kinda wrap things up. I have to figure out how to turn off the screen sharing and then go back to the slides. So, really appreciate, everyone's time. We've got a lot more sessions, as part of Elevate. We we hope you'll, you know, find something here that that is of use to you in in your organization. There's a few really good ones in here, you know, around a a number of different topics, securing, AI agents like we talked about earlier, insider threat, actually adopting some tools like MCP. So both sides of that AI equation, how do I use it to be more effective as an organization and, treating it as a as a threat and a risk, because both are accurate. And then our our CISO, with some, again, AI topics. So a lot of really good content in here. Hope this has been useful for you, and, really appreciate everyone's time today. So thank you so much for for watching with us.