Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Cyber security is one of the largest and most critical risks facing businesses. It has had continued and increasing attention not only from within the IT security function itself but from the wider business at board level.
There are numerous studies available on the scale of risks, the increasing size of fines, the increasing awareness at board level and for consumers. Within “the security industry” there is ample research on the threats, the levels of technical sophistication of attackers and the ways in which systems and processes can be breached leading to a loss of data.
However important cyber security is, there are other business imperatives. As the chair of ISACA recently said:
Security no longer king says ISACA chair
Digital transformation knocks cyber-security off its perch, staff incentives not working, the skills gap impacts maturity & business’ ability to quantify security risk
Brennan P Baybeck, ISACA board chair
Businesses have priorities and face a wide range of risks, and security risks need to be considered accordingly.
An example is reputational risk. A business involved in activities unpopular with some groups; in terms of environmental impact, or the use of cheaper overseas labour, or single use plastics, or climate change, or payment of “fair” taxes can find itself at the mercy of the press, consumers and politicians. Nowadays security and privacy are a part of this – being a responsible “information custodian”, treating data in a “fair” way, protecting privacy and, when a breach occurs, being quick to own up and take responsibility. These all matter to consumers and hence the politicians and media outlets that they link with. Customer boycotts and social media campaigns are now a risk for a business that upsets its target market.
If a board is worried about reputation or is using a proud ethical/responsible stance as a competitive differentiator, then a big part of the business case for good cyber security (or at least getting the basics right for good “cyber hygiene”) is already in place. The reputation is just as much at risk from a failure in this area as any other.
Risk management – whether it’s quantitative risk based on the regulatory fines, the business value of reputation, or the need to pursue Digital Transformation to drive the business forward plays more of a role than ever.
Certainly, it is necessary to have an intelligent conversation about it with the business in risk terms.
The importance of compliance goes hand-in-hand with risk.
Adopting, aligning or embedding a standard in the cyber security approach helps manage risk. Many standards entail a requirement – stated or otherwise – to have assessed the risks faced. In some cases, this is explicitly to choose the controls that you actually deploy from the standard itself.
Certainly, compliance to laws and regulations has a big part to play. The rise of GDPR as a driver for requirements and the scale of fines it can entail has focused attention on privacy and security in a major way.
The breach notification laws in the US as well as FTC imposed fines for security and privacy breaches likewise. For listed companies the need to declare risks in SEC filings means having continuous sight of security risks and breaches.
Besides that which is enforced by governments and regulators are the standards that relate to specific sectors and business practices –examples being HIPAA that pertains to PII and healthcare data, PCI-DSS for credit card information and EBA or FCA rules for banking institutions – these are critical to enable the business to operate, so are “laws” in all but name.
Then there are the standards that businesses can “choose” to follow – they comprise everything from large frameworks like Cobit or ISO27001, to specific standards that are perhaps easier to adopt like the SANS or OWASP guides. Then at the lowest end there is a range of “high level”, smaller standards designed for cyber security in smaller businesses.
UK’s NCSC publish “10 Steps” and in Australia the ACSC equivalent is the Essential 8. Businesses may not be able to justify the expense and rigour of a comprehensive standard or framework, but they cannot ignore less than a dozen “best practice” rules as basic cyber hygiene guidance.
In the midst of all this is the role of audit. Cyber risks are important to the board and stakeholders, so audit must check that the selection of controls and their effectiveness is robust and resilient to ensure that the systems and data they protect can be relied upon and trusted.
Compliance drivers (or compliance failures and the associated fines) can introduce costs that the business must either manage or account for and so there is a need for the governance functions to have sight of the exposure to these and the way the business is controlling them.
As the governing body says:
The role of internal audit is to provide independent assurance that an organisation’s risk management, governance and internal control processes are operating effectively.
“What is internal audit?”, Chartered Institute of Internal Auditors, 23 May 2019
For audit there is an increasing need to identify and understand cyber risks in the light of growing legal, financial, regulatory and consumer pressure and to reflect the nature of modern organisations with their complex web of technologies, third parties, data assets and controls that the importance of giving a view as to the effectiveness of controls and the trustworthiness of systems and data is paramount.
Does IT and the business have the right controls and are the controls operating properly?
The importance of this is clear in recent guidance from PCAOB around the reliability of audit evidence – in terms of how easy it is to get “telemetry” out of operational systems and controls, but also the way in which that evidence is obtained; how many people and “pairs of hands” need to gather, collate, analyse, access and interpret it before the final results are available. The need to report on these means recognising the probability of incidents that go unnoticed or for misstatements to be made is well and truly on the audit agenda. Cyber security is not the only area of concern for this, but it may well be one of the least mature in addressing it.
As these challenges combine there are some things that are self-evident. Certainly, all three areas need each other in a fundamental way. And all are important to cyber security.
Enter Regtech, the automation of compliance and risk management using technology to provide safer and faster outcomes and higher levels of visibility and assurance.
Compliance is routinely used to justify security purchases, either directly in the form of controls or through spend on auditing and assessing the controls in place. There have even been anecdotal cases of “compliance” being used to justify spend on solutions that were desired by security teams but not necessarily the best or only way to deliver a compliance objective.
Regtech is an area of innovation that aims to deliver compliance by monitoring and gathering the necessary data so that algorithms in the technology itself can make judgements, rate risks, analyse the context and then seamlessly report or act to perform the necessary checks, control changes or corrections.
Risk assessment is an accepted way, within a compliance regime, to identify the defences needed and highlight the ones that are more important and should be given highest priority in deployment, operation and oversight.
This brings the role of audit into sharp focus.
Are security controls present, are they appropriate to the compliance obligations and the risks the business faces? Do controls provide an adequate defence so that the integrity of systems and data can be assured? Are there exposures to costs, restitutions, fines or other sanctions that could affect the business in a material way? Critically, are misstatements being made (or possibly being made) about the state of security and assurance that would never be tolerated within a finance function, simply because the technical challenges and uncertainty complicate both the answers and the understanding of them?
Requiring audits to highlight poor availability or delays in obtaining audit evidence recognises that systems that fail to provide this evidence may be less trustworthy than those that do (or at least harder to manage with any degree of certainty). We are asking audit functions to make judgments to the degree of automation and protection of evidence from human interpretation and interference likewise.
The solution to this is to maximise automation, by taking humans out of the loop for accuracy and integrity purposes, the utopia of continuous assessment and measurement can be realised.
Regtech solutions that provide continuous assessment and measurement are available. Moreover, they have the ability to link into the IT service and operations processes to enable closed-loop remediation of findings. This puts another feather in the cap of security oversight – the ability to quickly find issues that have arisen, report on them and be confident that they have been marked for the business areas or IT to resolve.
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.