Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Auditing is the mainstay of business governance, since every organisation, no matter the size, is required to undertake at least one review of some aspect of their operations each year. Explore ways to hasten the IT risk auditing process and quickly uncover non-compliance with continuous, adaptive risk and trust assessments.
Anyone who is involved in information security or cyber matters will know that auditing is a core component of any effective security programme, since assurance is the cornerstone of remaining secure as the world around us changes. Businesses are seeking systems that can hasten the auditing process and quickly uncover non-compliance, since these gaps are often exploitable vulnerabilities. Adding to the requirement, security executives don’t want to wait 12 months until the next audit since they understand that vulnerabilities are discovered every day, so an entire year of being exposed to serious threats is an untenable position.
By introducing a technology solution that comprehensively assesses security posture and provides continuous feedback on compliance deviations against the desired states, the business minimises human error while mitigating potential risks of interference.
In the United States, recent changes in the Public Company Accounting Oversight Board (PCAOB) rules now require auditors to report not just on the level of assurance in controls, but also on the availability and timeliness of evidence and the amount of human interaction between the systems and the audit function. Additionally, the PCAOB mentions the importance of appropriateness, stating:
“Appropriateness is the measure of the quality of audit evidence, i.e., its relevance and reliability. To be appropriate, audit evidence must be both relevant and reliable in providing support for the conclusions on which the auditor’s opinion is based.”
From a security point of view, appropriateness is critical and something every security manager or IT executive should be assessing and trying to remove any of the human friction between the control itself and the result of the assessment.
The more accurate measurement of control compliance the business gets the better. Also, the speed at which deviations are alerted to the appropriate team is vital since not knowing that a control has failed for many weeks or months could be catastrophic. Insider threats are also a problem that security managers are paying more attention to, and malicious insiders interfering with the results of audits is a major risk. If non-compliance is concealed, then the business could be exposed to or even undergo a major cyber incident without any of the normal indicators of attack.
A relatively new approach, pioneered by Gartner Research, is continuous adaptive risk and trust assessment (CARTA). CARTA is gaining traction as a strategic approach to risk management and extends to all aspects of IT and service management. By adopting CARTA, businesses assume all their systems and devices are potentially compromised, so everything needs to be assessed against a baseline of what the appropriate security target should be. Forrester Research has also aligned its thinking with this model with its Zero Trust model, which again assumes that nothing in the environment is trustworthy and hence everything needs to be considered hostile when its place is considered within the IT environment. If you consider this from a security architecture perspective (see Figure 1), the auditing controls you build around any individual system will be very different if it’s considered a threat as opposed to being considered friendly.
Both approaches promote continual assessment and change the way we consider information risk and our defensive security countermeasures. The underlying requirement is that the business can continually monitor and react to change in state that indicates a threat.
Figure 1 Gartner’s CARTA model promotes continual assessment of risks across the business
By taking a strategic approach to security control monitoring we are constantly checking if the controls we rely on to protect the business are working as they should. Since the security threat environment changes every day as new vulnerabilities are found, systems are upgraded or new services are introduced, the control compliance can also change. Continuous assessment allows security managers to make better decisions and reprioritise workplans so that any issues relating to critical controls can be quickly remediated.
To most security managers and IT operations managers, the cycle of threat detection and response is well known, but CARTA’s value comes from tying the work of the SOC back to the business risk management approach and ensuring the controls we rely on are doing their job. Without that, the SOC may not detect the threat in the first place, and their job becomes impossible.
Any technology systems that produce logs (and most do) can report its status. In fact, if you wanted to manually adopt CARTA, then you’d been looking at the logs from hundreds, or even thousands, of log sources all day every day. In a security operations world, we have already addressed this issue with our Security Information and Event Management (SIEM) platform. However, requirements from our own customers’ senior management and audit and risk teams has led us to develop solutions that provide the perfect implementation of continuous adaptive risk and trust assessments.
Huntsman Security’s Essential 8 Scorecard allows your organisation to continuously measure control performance, something that is a core requirement of CARTA. Security managers get an objective, quantitative measure of the organisation’s cyber posture that highlights and alerts on any gaps in defence strategies. Additionally, executive reports are distributed automatically enabling informed risk decision making at every level of the business, all the way up to the executive. Alternatively, you can utilise the Essential 8 Auditor for a one-0ff, immediate view of an organisation’s security control effectiveness.
The Essential 8 Framework, developed by Australian Government, has been found to mitigate 85% of targeted cyber-attacks. The eight core controls are globally recognised as fundamental to robust cyber hygiene.
Essential 8 Framework – critical controls to protect your organisation
By introducing continuous adaptive risk and trust assessments across your risk environment, you gain visibility immediately. No more second guessing and no more nasty surprises when the audit cycle comes round. Do you have a current measure of your organisation’s cyber hygiene? Find out more here.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.