Most CISO teams would list measuring, communicating, and tracking the mitigation of ‘compound IT risk' as their biggest challenge today. Why? Because while they have lots of data from individual security technologies and IT systems, they struggle to join these up and get a continuous view of what their data tells them about how their security controls are performing, and ‘their next best decision' to reduce exposure to compromise.
Security teams in many firms - even the best funded – face a monthly or quarterly battle with this problem. They deal with a patchwork of business intelligence, operational alerting, and ‘big data' tools to try and pull data together to gain strategic insights for prioritisation and reporting. But to make this patchwork function, there are lots of time-consuming manual processes.
Very often the security metrics that firms have only deliver a snapshot in time from one month or quarter to the next. There is no continual measurement of the operational health of security controls that are vital to maintaining an appropriate cyber-hygiene baseline. There are also significant challenges in correlating information to move beyond silo'd prioritisation efforts. This means while there can be effective prioritisation within a specific control domain (eg for vulnerability and patch management, how to achieve the biggest reduction in attack surface across an IT estate), it's very rare that CISOs have a horizontal view across their controls to know where to focus their resources for best overall effect.
These technical challenges have a knock-on business effect, which is that it's hard to show strong control over your exposure to compromise and impact, and consequently your decisions about how security resources are focused. Executives know that security is made up of 100 moving parts, and that on any given day, a change in one of those could lead to a material incident if some of the other parts aren't lined up right. But the inability to look across geographies, IT teams and business units on a daily basis, to know that environments are being managed in line with expectations, and to see that issues are being dealt with in a timely manner, puts them ill-at-ease. As a CFO told me recently, “I need to be able to point at evidence based on good, current data and tell shareholders ‘This is what justifies my level of comfort about our risk posture and governance' … and with cyber-security, I can't do that.”
CISO teams are acutely aware of the need to address this, but also of the fact they need agility and flexibility from any set of technologies they look to for a solution. This is both due to the range of data types that they need to be able to access and manipulate, as well as the changing questions they need to answer. Often they face a Catch 22 decision: either to purchase analytics technology that correlates only a very few specific data sets for a specific control (eg vulnerability management) or particular problem domain (eg insider threat), but which is not extensible to other data sets that teams need to answer more complicated questions; or to buy a general purpose platform that can handle a vast array of data, but requires a vast amounts of costly customisation.
In the age of digital risk, agile analytics is a core capability that security teams already require today. They need to be able to take a new data set that's never been used before (however large it is and fast it moves), correlate it with other data, or use it to enrich an existing data and analytic model. And they need to be able to do that in days or hours not weeks or months, to get different views into their data, and spin on a dime when they get asked a new (and often harder) question by a regulator, an executive or a customer.
As recent breaches have shown, this all needs to start with ‘seeing the things you shouldn't miss', because it's not the super-mega-advanced stuff that causes most breaches; it's the simple stuff you look back on and think ‘If only I'd known, I could have stopped that easily!'
For example, by using readily available data sources to create and maintain a security-smart device inventory, CISO teams can quickly build up and maintain an accurate picture of their estate. They can then establish if foundational controls such as vulnerability management and malware protection have coverage across all the assets that they should do. They can then see on a continual basis if controls are operating consistently, and if issues that are identified (either coverage gaps or operational failures) are being closed out in the time expected. With this baseline of understanding – tracked on a daily basis and trended over time - CISO teams can better prioritise, decide and communicate across stakeholders to drive improvement where it matters most.
The result of this means that not only can security show how activity is relevant in terms of ‘things you do security to' (ie devices, people, applications); they can also show executives how security is addressing risks that are in the frames of reference that matter to them: data loss, reduction of service availability and critical compliance failures.
Contributed by Nik Whitfield, CEO, Panaseer
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.