Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Commissioning or undertaking a security review is a familiar process for most security managers, internal and external auditors, CISOs and risk owners. The growing responsibilities of directors for the effective management of IT risk almost guarantees that the audit process will become as routine as the monthly accounts.
In an environment where new technical vulnerabilities, and even cyber attacks, can happen literally overnight, there is always going to be a need to understand what gaps exist in your risk management controls and whether there are any resulting compliance issues that need to be addressed.
Traditionally there have been lots of different types of review, and almost as many different approaches in undertaking them. All have pros and cons, with different levels of effort and fidelity – depending on the intended audiences and purpose of the outputs. Two examples are below:
The overwhelming limitation of security reviews is that they are point-in-time assessments. They are correct and valid on the day they were undertaken, but quickly become out of date; and that’s a problem where your risk environment can change overnight.
Lengthy periods of vulnerability to the latest exploits and infrequent risk assessments can unnecessarily prolong the time at risk from cyber attack. In a world where so much can change as a result of a simple click on the wrong link, an up-to-date review can quickly lead to the timely mitigation of the risk. Appropriate mitigation might be as simple as disabling features or accounts that were found to be missing patches, but unless you have complete visibility, your mitigation strategy cannot be adequate.
So, with the benefits established, the challenge is how often can you conduct a security review? What is the available budget and resource for the assessment? Its retesting once the problems have been fixed; and in a constantly changing environment – how frequently is sufficient to maintain your compliance obligations and to verify the progress of security improvements?
The answer obviously depends on the overall risk appetite of your organisation and the risk environment in which it operates. Security and risk teams should be able to run risk assessments as necessary – to assess the current state of security controls, identify any deficiencies and then, as with any quality improvement process, re-run the assessment to determine the success of the corrective actions.
In a dynamic risk environment, an annual penetration test or audit is, at this point, going to fall short. Perhaps for audit purposes it is a useful exercise, but it isn’t meaningful to derive security metrics for operational reporting or to gauge risk or compliance status.
Annual reviews, planned in advance, can be prepared for, and the resultant assessment is based on the “prepared” environment rather than a typical picture of how systems are managed. Plus, as we’ve already observed, systems even if they avoid an overnight “hit”, will drift away from a known state over time, in days, weeks, months – so the accuracy of the findings is quickly eroded.
Conversely trying to run audits or gather data manually on a weekly, or even monthly basis, compresses too much effort into too small a time window. It leads to short-cuts in the name of “ticking the audit box” – sampling, cherry picking environments to be assessed and subjective self-assessments don’t tell the full story. They provide an incomplete view of your security posture, and ultimately an inaccurate disclosure to senior executives and potentially even regulators. It’s for this reason that there has been a marked trend in security frameworks, advisories and regulatory requirements that organisations increase the frequency of security assessments. Whether it’s simply part of a security performance improvement program or a broader governance initiative, evidence-based decision making requires accurate, timely and actionable information.
The trend is clear, as this article shows, the need to assess, patch and improve your security, is ever-present – and needs to be done as regularly as possible.
So the goal, we can conclude, is to find a way – an approach, process, service provider or tool – that can support and inform these interdependencies. The desire for a set of security KPIs, while still somewhat constrained by logistical and resource constraints, is growing stronger and more urgent.
The audit and risk assessment solutions we have developed to meet continuous compliance monitoring, on-demand audit and the validation and assessment of ransomware controls tick many of the boxes: simple, unobtrusive, evidence-based and empirical.
With the immediate availability of reliable information on security posture, reporting cycles come right down, and the “time at risk” can be slashed with little elapsed time between risk investigation and mitigation.
The increased trust that this engenders in both the IT environment and the teams responsible for their resilience means the business is more likely to invest in security improvement, because now senior executives too have access to status information on security controls for management and oversight.
For consultants, this changing face of risk assessment is even more challenging. Yes, they want to do more work and conduct as many assessments as possible, but they have to find a way to deliver value in a cost-effective way. An annual audit might be a big job, but it’s infrequent and leaves the consultant and client out of touch with the true risk position for some time. Again, time at risk.
With the advent of solutions that enable a rapid risk assessment, the cost of the security audit or assessment can be reduced, and the value of prompt security reporting becomes a real business opportunity. Suddenly the consultant/client relationship isn’t about a long list of issues once a year, it is one of a continuous and iterative cycle of assessment and security improvement, with more opportunity for the introduction of a systematic and responsive management methodology for cyber security – an increasingly concerning business risk for all stakeholders.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.