The Invisible Posture
When your improved security posture is invisible in detection-based metrics.
Edition #18: The Invisible Posture
Your team deployed S3 Block Public Access organization-wide. Findings dropped to zero.
Leadership reviews dashboards: "Why did resolved findings drop? Is the security team doing less work?"
This is The Invisible Posture - when your improved security posture is invisible in detection-based metrics.
Why does this happen?
Detection and remediation work is visible and measurable. Findings discovered, tickets closed, vulnerabilities fixed. Clear before/after: problem existed, problem resolved. Dashboards show constant remediation activity.
Prevention is invisible. Success means violations never happened. Nothing to find, nothing to close, nothing to show in traditional dashboards. It requires measuring what DIDN'T occur.
Organizations default to measuring problems found and fixed. But governance effectiveness also means measuring problems prevented. Both matter. Most teams only measure one.
Measure prevention effectiveness using the Feedback and Visibility Practices from the 5 Practices of Cloud Governance:
→ Track actions blocked - Count API calls blocked by organization policies before resources created.
→ Measure deployments protected - Build-time scanning stops violations during PRs. Track deployments scanned, violations caught pre-production.
→ Quantify findings eliminated - Before control: 50 findings/month. After: zero. Prevention eliminated 50 at source.
→ Calculate capacity freed - Remediation time saved. 50 findings × 30 min = 25 hours/month freed for strategic work.
→ Show coverage expansion - Controls rolled out to X accounts. Y% protected by secure defaults.
Detection metrics show problems found and fixed. Prevention metrics show problems blocked before creation. Both matter. Great governance measures both.
- Keep on Herding, Bob
PARTNER SPOTLIGHT
Turbot: Complete Cloud Governance
Transform visibility into action with automated policy enforcement and remediation at enterprise scale.
What's Happening in Cloud Governance 📡
Security governance - AWS CAF Security Perspective: AWS Cloud Adoption Framework's security perspective emphasizes governance as one of six security domains. Organizations must establish security governance programs that define responsibilities, track compliance, and integrate security into cloud operating models.
Securely Govern Your Cloud Estate: Microsoft's Cloud Adoption Framework provides guidance on securely governing cloud estates through policy-driven controls and compliance monitoring. Organizations should implement landing zones, resource organization hierarchies, and automated guardrails to maintain security posture.
FinOps Foundation sharpens FOCUS to reduce cloud cost chaos: The FinOps Foundation's FOCUS specification standardizes cloud cost and usage data formats to reduce chaos in multi-cloud billing. This common schema enables organizations to build consistent governance and reporting across AWS, Azure, and GCP environments.
A Guide to Implementing Cloud Governance Framework: Implementing a cloud governance framework requires defining policies, establishing controls, and measuring compliance across multiple dimensions. Organizations should start with core requirements around security, cost, and operations before expanding governance scope.
Get Involved 👋
Join the conversation on LinkedIn about this newsletter edition.