Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
With large parts of the western world starting to emerge from the Covid-19 pandemic and the associated economic impacts of lock downs and travel restrictions, businesses are trying to plan for a new normal.
Many organisations have shifted to place a larger reliance on cloud delivery of IT, a greater willingness to outsource non-core business functions (like security and digital marketing, for example) and the continuation of working from home arrangements for much of the work force. These changes together with the implementation of operational and security infrastructure changes has enabled businesses to remain flexible and effective.
So as IT security budgets are reviewed; what are the outstanding priorities to support these operational changes and what are the strategic investments for the future? What should be in your security budget for 2021/22 and beyond?
For businesses being forced to operate with remote workforces, secure endpoints (user workstations for the most part) has been a critical area of focus. We were already seeing the rise of UBA (user behaviour analytics, often UEBA or SUBA) and an increase in the market for EDR (endpoint detection and response solutions). Now these technologies are evolving further into XDR (extended detection and response).
For all the focus on endpoints, however, there are still gateway systems at the network perimeter, stored data, web-based applications and an array of cloud-based and on-premise IT systems that are used by business on a daily basis. While there is an operational security need to get the balance right, too much focus on endpoints can introduce risks and blind spots:
Any planned security spending should therefore contemplate not just the necessities of the changed work practices over the COVID lockdowns but also the return by many organisations to more reliable and trusted operational architectures.
Another area where the security goal posts have changed is in cyber governance; almost a new phrase in its own right. As we have moved to digitally transform our enterprises in recent times we have, in many cases, unwittingly added to our attack surface. The integration of business and IT operations has meant that business is required by regulators and 3rd parties, more generally, to have visibility of and the ability to report on security risks, the operations processes and the status of controls. That is to say – cyber “maturity” or “posture” metrics have become increasingly important.
The wider digital transformation agenda, at least in part driven by the need for greater operational efficiencies during lockdowns, has led businesses to increasingly look to streamline and automate their processes. Improved service to customers and operational controls have been achieved through the addition of digital analytics, machine learning and process automation to business operating models.
Just as this transformation has digitalised business operations, so too has it digitalised security operations and compliance monitoring and reporting. The integration of these levels of technology into business process has implications for senior executives and boards in their greater responsibilities and accountabilities for ongoing operations. IT and business operations, and indeed governance, have never been more interdependent.
As a result, there is now less willingness by regulators, and as a consequence boards, to accept that security risk management can be “outsourced” or that a lack of knowledge is an acceptable excuse for failure. With this digital transformation, the accountability for security risk and its management is clear. No senior executive or board member wants to be in the invidious position of mis-reporting or not knowing the security posture of their enterprise. It’s now part of their broader responsibilities.
In business, a common set of financial, legal and social frameworks and controls provide a platform for reliable and trustworthy commercial interaction. As we move towards our digital future, with its expanded levels of cyber risk, a verifiable measure of cyber posture will undoubtedly become part of a broader commercial platform.
While the specific set of controls that comprise good cyber posture may vary from jurisdiction to jurisdiction they invariably include:
These controls are so foundational that sometimes they are referred to simply as “security hygiene”. When it comes to “hygiene” or “cyber posture”, however, the effectiveness of these controls can vary so what’s important is not whether they’re in place but rather, how well they are operating. The greater the shortfall in control effectiveness, the more vulnerable the organisation is to attack. To improve cyber posture, identified risks need to be mitigated and the gaps verifiably closed.
As demands for good IT governance increase from both boards and other stakeholders, organisations need to allocate funding to tighten their security controls through sound systems that measure and report evidence of that fact.
The last obvious area for post-pandemic investment is in things that directly benefit the accuracy and effectiveness of security processes, operations and workflows.
With resource constraints impacting almost every facet of security operations, security leaders must regularly review their processes to identify tasks that limit the effectiveness of their team’s time and effort. Skills shortages and cumbersome processes mean that security teams are often under resourced, over worked and struggling to make tangible improvements in these security efforts.
Much has been made about automating the threat detection, alert handling and incident triage processes. Data volumes and an ongoing reliance on analyst-driven analytics ensure that threat investigation and response remains a specialist critical path activity. Hence the need to streamline and automate SOC processing.
If businesses can optimise the efficiency of their security teams by simplifying alerting and minimising handoffs between SOC processes, and combine that with a greater understanding of the nature of threats, SOC teams can make significant strategic efficiencies to the overall security management process.
By investing in something like the power of the MITRE ATT&CK® framework- to integrate their decision making with the contextualisation of threat observations, the speed and accuracy of analyst decision-making can be instantly improved.
These efficiencies and improvements are likely to be some of the areas where investment will deliver the most benefit in 2021/22 and beyond. If security teams can be funded to “catch up” post-pandemic through improved risk management efforts and posture, and threat responsiveness hastened by better contextualisation, some of the concerns that emerged during the COVID hiatus about falling levels of security will be quickly addressed and resolved.
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.