Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
National cyber security agencies, legislators and regulators regularly talk about the hostility of the cyber security threat environment. It’s a driver for the relentless growth in cyber attacks. These same officials are becoming increasingly strident that organisations improve their cyber security performance in the face of this hostile threat environment.
Technology and its dark shadow, cyber security, is very much a business problem. It touches every part of your business and the scope and scale of cyber attacks can compromise your operations quickly. Disruption to a business and its supply chain from an attack can be debilitating and costly; damaging the reputations of all concerned. Directors and senior executives are increasingly being reminded of their obligations when it comes to operational resilience and oversight.
The rules of engagement are clear. In this increasingly hostile threat environment, organisations must continue to improve their cyber security performance just to stand still. Like navigating a fast-running river, you need to be careful you don’t get swept down-stream in the choppy current. Active management is needed to steer your organisation through this threat environment. A role of a business is to manage all types of risky environments to financially benefit its shareholders. That means actively taking steps to inform security decisions to deliver an ROI that exceeds investors’ cost of capital.
Several years ago, an acronym – VUCA – emerged from the US military to describe a highly complicated operating environment. The term made its way into management literature to describe the interrelated environmental factors – volatility, uncertainty, complexity and ambiguity – that compound to make successful risk management and effective decision making more challenging. It truly is “… crazy out there”. In terms of the cyber security threat environment, businesses must maintain their ongoing operations in the face of these volatile, uncertain, complex and ambiguous threat conditions. Failure of directors or senior managers to effectively manage these adverse conditions is tantamount to being swept down-stream – out of control and, potentially, culpable. Inattention to your cyber threat environment is not an option for today’s enterprise.
The attack surface of your enterprise is the IT systems and assets that enable it. Your enterprise is constantly at risk from shifting attack vectors that morph with every new vulnerability and potential exploit. In 2022 alone, more than 25,000 new vulnerabilities and exposures (CVEs) were reported. Not every endpoint is affected by every CVE; but, with sometimes tens of thousands of end-points to protect, security teams need to be able to assess this multiplicity of potential attack vectors – to determine the level of threat to the business. Attack vectors are constantly changing with adversaries endlessly seeking to target just a single gap in your defences.
No wonder cyber security is difficult – with its volatility, uncertainty, and complexity. We’ll leave ambiguity for later, except to say that management processes that rely on anecdotal or subjective inputs to inform decisions will always remain ambiguous. As a result, security and executive teams are left with some tricky questions – (i) how to assess the effectiveness of protective security controls against a changing threat-scape; and (ii) what is the information necessary to reliably inform any changes to the control settings necessary to maintain operational resilience more generally?
The frequency and quality of this environmental information will determine its usefulness in managing your cyber resilience. If the results are subjective – gathered by sampling techniques, questionnaires or unsupported by evidence – their value in guiding future security decision-making is limited. So too if the results are not reflective of the current state of the operating environment. When the threat landscape is so dynamic it’s important that your risk management activities match the cadence of your assessments. Obsolete information about the state of your control settings in the face of a changing threat environment is not suitable to guide your current risk management practices nor is it an adequate foundation for your operational governance.
To be a quality process, an effective cyber risk management process needs to empirically measure the nature and effectiveness of your controls; and determine their ability to mitigate any vulnerabilities or misconfigurations that might emerge from the threat environment.
This assessment needs to be completed reliably and often so that the ongoing effectiveness of the security controls can be maintained against the latest vulnerabilities.
Collecting and analysing relevant data from a dynamic threat environment is absolutely challenging. With its randomness, it is important to shrink the measurement intervals to limit the range and variability of the data being captured. More frequent collection of evidence-based observations, reduces the quantum of information and unpredictability of events and so dials down the uncertainty. Complexity too, whether it’s the multiplicity of potential threat vectors or simply the complication and scale of current network architecture, will be reduced with more frequent measurement. The benefit of this methodology, however, does bring into question whether this scale of data collection and analysis can be achieved without some level of automation. That is particularly pertinent when you consider that the more reliable and current the assessment information is, the more suitable it is for actively managing control settings and ultimately improving your cyber resilience.
Getting timely information about the adequacy of your controls, requires significant amounts of data. As a consequence, big data collection and analysis techniques are desirable to ensure their relevance to the the cyber security decision-making process. The speed and reliability of data-driven analysis enables pro-active cyber security decision making – by identifying any particular controls needing to be reset or security policies to be adjusted to better align with operational resilience objectives.
Being able to quickly determine the adequacy of current security control settings means the CISO and the security team have visibility of their key IT assets, evidence of the state of the controls that protect them and ultimately a measure of their cyber resilience. It also empowers the team with prompt and actionable intelligence about any new or emerging security gaps that might put the organisation at risk.
Obviously, threats can come from multiple sources but focusing on those that threaten an organisation’s security hygiene or resilience is a smart place to start. So too is identifying your critical IT systems and assets and selecting a security framework to measure the effectiveness of your security controls – even as the threat environment changes. Establishing your operational resilience using base level cyber hygeine controls will significantly reduce your risk of attack; you can easily add more controls later.
The important thing for now is to understand the purpose of the risk assessment information. Is it for active management of the cyber resilience process or simply historical reporting? Is the information frequent and accurate enough to meet your risk management and performance management needs? And then, is it evidence-based and sufficiently reliable to meet the statutory reporting and operational resilience obligations of you and the board?
The reason for all the questions is simple. To manage your cyber security posture in a dynamic threat environment, organisations need regular risk assessments, or actionable performance information, to guide their management efforts. They need absolute information to inform them of their control settings and their effectiveness in the current threat environment. Cyber security management is the ultimate in active management; so much so that the old-fashioned risk management practices battle to keep up. It’s too fast and complex and the consequences of failure too great.
Security control settings need to be frequently adjusted to address any changes in the underlying threat environment – otherwise you run the risk of going backwards, in a security sense. Anything less than timely evidence-based information is unsuitable for an active risk management process. Worse, relying on obsolete information to inform your management efforts and guide your risk management decisions is like using yesterday’s information to address tomorrow’s security problems.
To learn more about how data-driven risk assessment can inform your decision making and improve your operational resilience please contact us here for a chat.
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.