Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Organisations are being asked by regulators, partners, and other stakeholders to improve their cyber security risk management process. As cyber risk becomes recognised as a business risk both senior executives and operations security managers are seeking greater visibility of those risks and access to tools that will help mitigate them.
Executives charged with ultimate responsibility for the cyber resilience of their businesses are vitally interested in the nature of those risks; and a regular summary of the latest cyber security posture. Cyber security scorecards and ratings can provide a summary measure of that security posture.
For operations and security managers, summary anecdotal security ratings are only the starting point; it’s the verification of the nature and extent of these risks that is key to the security management process. Diagnostic investigation and empirical measurement are important in identifying and prioritising such risks. Evidencing changes in security outcomes as a result of adjustments to risk settings is fundamental to a successful and ongoing cyber risk management strategy.
Security scorecard solutions typically provide a clear and concise cyber risk summary and rating report for senior executives. However, there is another very important function of security scorecard metrics; that is to provide quantitative and detailed IT systems risk information for the purposes of operational risk diagnostics, investigation and remediation by the SOC team.
Information provided by a security scorecard should ideally be based on empirical measurement and systematic analysis of a framework of cyber security KPIs across the organisation.
Quantitative measurement of risk information is a must for cyber security diagnostics, risk management and ongoing security operations management. By measuring the operational state of multiple security vectors (or KPIs) within an organisation, for example, patching, administrator privileges and multi-factor authentication, the residual levels of risk can be measured and a highly accurate security rating calculated.
The days of arbitrary cyber security risk assessment have gone. Standardised assessment processes and reliable measurement methods are critical elements of an effective cyber security risk management regime.
The timeliness of information and the currency of the risk rating is vital in managing risk; a cyber security environment is notoriously volatile so point-in-time risk ratings can quickly become obsolete. This is an important consideration as cyber security risks can emerge quickly and unexpectedly, and with potentially damaging results, so security risks need to be continuously measured and risk ratings updated accordingly.
Essential 8 Scorecard – Trend Report
Seeing the outputs and effects of security controls on a continuous, automated basis is not only essential to ensure accuracy but is also the only way to generate reliable trend data that enable cyber security performance measurement and improvement over time. The more systematic, the more metrics, the more reliable.
Qualitative risk measurement methodologies are sufficient for indicative security ratings. Whereas ongoing risk monitoring and measurement needs to be part of a risk management process. Subjective methodologies and the absence of a systematic and repeatable process limits its usefulness in determining small changes.
Being able to measure even small deviations in cyber security risk is important for making timely business-based risk responses. It is also how risks can be compared and prioritised so mitigation efforts can be ordered on the basis of the sound business criteria of cost benefit analysis.
In modern business data scientists, analysts and senior executives, whether at the board or operational levels, demand evidence-based management information based on quantitative data.
Management algorithms and business decisions are increasingly determined by the analysis of relevant and verifiable data; security risk management included. Performance management and risk diagnostics, too, rely on empirical measurement to quickly determine risk differentials and make relevant security-based business decisions.
What many auditing, scanning or survey solutions cannot answer is “How and Why”. Only quantitative measurement can provide that information. As we have discussed, diagnostics and investigation are key functions for many operations and risk managers; so being able to identify and mitigate particular risks relies very much on verifying the connection between an adverse digital intelligence observation and that risk. Without being able to establish and quantify a causal link between a sensitive artefact found on the dark web and an internal cyber security risk that lead to it being there, a security rating system is of limited utility.
This is the distinction between a reporting solution that compiles outputs and a diagnostic solution that understands them. One tells you the status while the other helps contextualise it in business terms.
Essential 8 Scorecard – Application Whitelisting Report
The link between “how” and ”why” is therefore crucial as it drives the focus of corrective actions to manage risk and improve cyber posture in a way that is based on current, actual problems; rather than acting on the “what” of a high level traffic light display of status or a written report from the last audit.
Providing the “what” state of something for a report to management is only a part of the answer; being able to support this with “how and why” gives far greater insight and value for decision making;
Measuring and reporting on cyber risk in this way enables a better, and automated, translation of raw information to support the decision-making needs of the business:
Meeting these objectives gives consistent measures of actual and residual cyber risk and objectively tracks the performance of controls to identify the quantitative state of that risk.
The emergence of cyber security scorecards and security performance measurement has already significantly enhanced the availability of security risk information for security and business managers. Whether for senior executives or operational security managers, security scorecards now provide an assessment of the security posture. Quantitative risk information enables operations and security managers to take the next step of identifying the nature of cyber risks facing the organisation; measuring and ultimately prioritising those risks for investigation and remediation.
By using a security scorecard in your SOC you could see the current and prioritised vulnerabilities that lie within your security controls; imagine having a continuous view of your cyber security posture and having the ability to mitigate any new or changing vulnerabilities as they arise.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.