- Are we doing enough to protect ourselves against a growing threat of cybercrime?
- What are our competitors doing, in terms of strategy, building capability and related investments in cybersecurity?
- What threats have been thwarted and can we demonstrate that our (cyber) risk is within an agreed appetite.
Many organisations have an array of security tools, ranging from anti-malware and encryption software to more sophisticated intrusion detection, vulnerability scanning, and security information and event management (SIEM) solutions. It has historically been difficult for the average risk manager, let alone business executives to aggregate performance data for a cyber function. With a wide variety of (reporting) tools Security or Risk Leads have been hampered by an unwieldy set of data points that fail to address the more fundamental questions highlighted above. IT security functions are often ivory towers and in turn they can be divided into control-oriented teams that have their own take on indicators of compromise, risk assessments and reporting logic. It is easy to get lost in the idiosyncrasies of identity & access, network-based, application-based and platform/OS-based controls, each cross-referencing similar, but often not the same (normalised) data. This makes aggregation and effective risk reporting a huge challenge, especially in larger, globally operating companies.
For example, monthly vulnerability scans in data centres can detect missing patches on specific operating systems or infrastructure software. These patches could have addressed vulnerabilities picked up by earlier penetration tests and could have been correlated to one or more security incidents captured in a case management tool. Unless these findings are fed through a single analysis and reporting platform the aggregation is more than often impossible due to different data descriptions, attributes, and different reporting lines or cycles.
This lack of governance and control consistency leads to unnecessary complexity in understanding security risk positions across the IT function and diminishes the value CSOs can offer to the wider business community and its Executive.
Vendors like Kenna, Gigamon, BlueCube and Digital Shadows have products that aim to streamline and harmonise cyber risk information, but they are also constrained by their own technology stack, APIs and platform choices that make up their ecosystems. Their solutions go a long way in addressing the executive reporting issue, but they will never be successful if there isn’t a top-down interlock of controls that drive a more strategic approach to executive security (risk) reporting. In essence, threat analysis, use cases or (in the cyber context) ‘misuse’ cases will drive the selection of security capabilities and investment with a view to being able to adequately respond to cyberattacks, inform the risk/audit function and the executive.
As some vendors highlighted in their presentations: there is an emerging requirement to be able to independently test, rate and benchmark security capabilities, as well as the security posture of an individual organisation. These trends may better support management with standards for assessments of capabilities in the longer term. It will also help efforts to standardise and improve performance reporting, using a more uniform classification of security threats and capabilities. Changes to an independently verified cybersecurity risk score of an organisation would be a welcome conversation starter in any company board room and would lead to a more focused debate around investment priorities for a CSO organisation.
Horizon watchers point to the exponential increase of exposure caused by the internet of things (IoT) and Artificial Intelligence (AI) applications. Existing supply chain risks of increased connectivity was demonstrated in an Airport Security case study. Interconnected storage of sensitive documents distributed amongst airport contractors and business partners resulted in an astonishing amount of security data breaches in the aviation industry, widely believed to be on top of managing its security risks.
Returning to our three exam questions, it would be fair to state that there are tools in the market that can help the cyber professional assemble, assess and report relevant risk data to their stakeholders, but it requires a concerted effort from both security (risk) professionals and tool vendors in a combined effort to normalise and aggregate security risk data to a relevant set of Key Risk Indicators (KRIs), allowing senior management to make informed decisions about levels of protection and acceptable risk in their existing and future operating models.