Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
For people who have been working in security for some time there has been an evolution in communicating cyber crime risks to the board; this has gone through several phases from initial disinterest, through necessary but begrudging acceptance to a point where now measurement of the state of key risk indicators is actively sought.
Back when we called it “Information Security”, it was often perceived as a business barrier and so the desire to get it on the board agenda to explain the growing importance of information, and the risks to it in terms of confidentiality, integrity and availability, was often met with a distinct lack of enthusiasm.
Then we called it “IT security”, and it became the domain of the IT department and sat alongside availability and functionality. “How quickly could the business get a new transactional web site on-line” was seen as more important so they could start selling goods and services.
Security teams wanted to highlight that systems were vulnerable to viruses and hackers (and worse, “script kiddies”) but these warnings often came late in projects or appeared to hinder progress. There was so much resource and effort devoted to IT and an ever-growing technology budget, yet so little focus (and budget) on security – it just wasn’t an “enabler”.
The widespread reports of security breaches and successful data exfiltration hastened the advent of the term “Cyber Security”, which truly changed board level perception of security. This, and the emergence of a cyber security insurance and underwriting industry, began to highlight the risks and related costs associated with targeted attacks, compromise of personal information and the increasing problem of IP theft by organised crime as well as nation states.
Cyber security became acknowledged as something that could affect the well-being of the company, its profitability, its customers’ personal data, the business “information crown jewels” and, for the directors, it became a fiduciary risk that could ultimately affect their roles as business leaders.
Put simply, it changed to become a risk they were responsible for and needed to have visibility and management of. “IT security” wasn’t renamed “cyber security” it was translated, re-branded and monetised.
There is always a challenge in explaining technical subjects to non-experts but often, and in this case, it is vital. Explaining cyber security risk means finding a common language, a way of translating a security risk into the recognised business lexicon of risk and its measurement. What is the potential impact and equally important, in order that it can be prioritised, what is its likelihood?
In cyber security we are faced with a deliberate and motivated adversary targeting our assets. In other areas of risk management we are dealing with accidents or non-deliberate events. We have, over time, developed tools and techniques to mitigate all but the most malicious threats.
In risk management terms, markets may move against you, exchange rates could shift and hurt your profitability, data centres could flood or there could even be environmental issues – but for many of these we have developed thresholds and indicators to determine or statistically predict them as real-world events.
How do you determine and quantify the risk in an ever-changing cyber world when the source of a threat is more deliberate and often more targeted?
Today’s reality is that you won’t achieve a perfect record by defence alone. The maxim that it is “when, not if” you fall victim to cyber crime is now widely accepted as holding true.
Consequently investment, effort and attention must be on more than just prevention, but also the continuous state of your defences. You need the ability to “notice” when a cyber crime attack occurs or when there are indicators of compromise present and the ability to react effectively.
The reasons this is important are three fold:
One of the biggest failings in the way cyber security risks are conveyed to the board is the use of technology heavy terms, figures and metrics.
A list of 50 vulnerabilities or security issues that are being worked on does not give any indication of the financial or business risk value. 500 problems in a population of 10,000 workstations might not sound too significant. However, a single critical unpatched vulnerability on a sensitive server, could be hugely damaging.
You need to have a way of measuring the business risk associated with your cyber posture at any one point in time. Risk based decision-making is a key development in prioritising what is important for boards and what is not when it comes to cyber security.
Just when you start to think you have a satisfactory risk based cyber security process in place for your information systems, you realise there is a far wider scope to the problem of cyber crime. What about the scale and scope of risks posed to your business by third parties, and the exposure of your data to their unprotected systems; significant new exposure to cyber crime can be introduced. You are only as robust as the weakest link in the supply chain.
Measuring and managing these risks is an added responsibility that often means a complex programme of audits, self-assessments, sample-based scanning of systems and contractual safeguards – interfacing not just with IT but with businesses , procurement and commercial teams that handle the terms and conditions, and auditors who oversee the arrangements.
It is a lot of effort and money, particularly when your systems regularly interface with much smaller enterprises and other organisations that might have an under-resourced or divergent cyber risk management approach or risk profile. You can be left with a high degree of uncertainty as to your exposure.
What the board needs to know is “What are our key assets and systems and how safe are they?”.
This means high-level, business-based risk information that requires effective key performance indicators and their ongoing measurement.
Start by looking at the security risk mitigation controls you have in place. If you are not sure where to start, look at recommendations from government bodies.
The Australian government has found that just eight key security controls can help protect an organisation against up to 85% of targeted cyber attacks. You can read more on this here.
Similarly, in the UK the National Cyber Security Centre has published a “10 Steps to Cyber Security” guide that covers the primary areas they view as important in delivering an effective security posture. We have produced a handy guide to this here:
Irrespective of what and how many controls you have in place, they will only be fit for purpose if they are implemented properly, operating effectively and are meaningful.
Monitoring security controls for effectiveness is paramount to managing your organisation’s cyber resilience.
Key Performance Indicators (KPIs) are well known in all areas of business as they present a quick and clear assessment of performance and situational awareness across an acknowledged set of key business-focussed measures.
Developing cyber security KPIs for your business means that your security team will have an effective and current (and comparative) view of your security status. Additionally, the information can be reported simply and concisely to all stakeholders in the business: auditors, risk managers and the board.
Finding an objective and continuous way of reporting your cyber KPIs has been a challenge for security teams over the years. However, advances in security analytics tools, dashboards and Security Scorecards now mean that your security team can measure your posture and quickly take positive action against a list of prioritised threats rather than wading through a never-ending avalanche of unprioritised, semi-interesting, and irrelevant technical data.
KPIs like this can also be used by the security team to show improvement in operational performance or to seek budget for additional technology or resources.
Using business-focussed, quantitative metrics to derive reportable KPIs in cyber security must be a good strategy; it is the way the rest of the business reports and manages its progress after all.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.