Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
There are bottlenecks throughout the cyber security risk management process. UK Government surveys suggest that directors are invariably unclear about the business implications of the cyber security reports they receive. Conversely, despite the challenges associated with the massive volumes of ever-changing security data, security teams believe their communications to the business are clear.
In many of the conversations with customers and others we hear stories about the challenges organisations are having with their current interview/questionnaire based cyber risk management and reporting activities. They talk especially of the cost and disruption of gathering and providing the cyber resilience status reports to boards, cyber insurance providers and even key customers.
It seems that, the overhead of “security reporting” is becoming a major burden; tens of thousands of hours per year, rising frequency and even then, accuracy and clarity is increasingly coming into question. No wonder there are calls to standardise the process.
At the heart of why this is so difficult, is that there really are lots of obstacles that hamper the availability and assessment of cyber security report and performance data.
Cyber security is a broad discipline. While Newton’s 3rd law of physics does not apply – it is true to say that for every digital initiative there is a cyber security implication! There are so many ways to attack systems and steal data; and so many settings, controls and mitigation strategies that need to be in place to effectively protect an organisation’s cyber security posture.
Because of these variables, reporting on security performance of IT assets and systems can be a bigger task than almost any other part of business. Rather than a single CRM, finance or HR application, the security team must aggregate data from a plethora of systems: firewall configurations, anti-virus updates, privilege access management, IDS/IPS technologies, security analytics platforms, patch management, backup solutions and the network itself. And the list goes on….
So the task of collecting and reporting cyber security performance across IT systems and assets is a complex activity; made more difficult by the need for its increasing frequency.
Another issue, having gathered the data from across sub-systems, IT environments and security controls, is how to present the information reliably and with clarity.
Evidence that underpins the management and report activities must be available if required; but KPIs relating to the key security controls should provide clear and relevant information to inform the risk management process.
Most security standards contain a large number of controls or requirements, but often they are categorised into a small number of “groups”:
So typically, there is no shortage of cyber security data but it is the relevance and clarity of the information that enables effective management. Once dashboard measures or KPIs go beyond a reasonable number, the level of understanding can diminish for some users and the information gets crowded out with detail. This is particularly important for people who may not be familiar with the absolute detail but need precise information upon which to base important decisions.
Like any profession, security decisions often rely on the opinions or eminence of experts when it comes to what’s acceptable and what’s not. Their judgements can have significant cyber security risk implications so it’s important that, wherever possible, they are verifiable and evidence-based. New technologies are increasingly available to automatically measure and reliably report risk assessments and so increase the confidence levels of a cyber risk management process and better inform non-technical stakeholders.
The move towards more evidence-based objective measurements, and hard quantitative KPIs, is becoming overwhelming. Subjective anecdotal risk assessments still hold sway in some organisations but a cultural change towards evidence-based risk decisions is underway; driven by auditors and risk managers. Recently the Australian Cyber Security Centre changed its recommended risk assessment methodology noting that evidence-based judgement and opinion is far more reliable than any other objective measure.
As press reports all too frequently reveal, your cyber security posture can change overnight. A system can be secure (or at least “fully patched” and configured correctly) one minute and a new vulnerability render it vulnerable, and exploited, by a zero-day attack the next.
This is made worse with our IT environments constantly changing – configurations, software versions, files and data, user accounts. Risk assessment and reporting practices must be able to keep up with constant change in our risk environment.
Security teams need risk assessment and management solutions that can address the velocity of these changes.
Decision makers need their information in a timely manner to ensure that the cadence of their risk assessment and reporting practices adequately meet the risk management needs of their enterprise. The greater the lag between the identification of a cyber risk and its subsequent reporting, the less chance of its effective management. Equally importantly, the less reliable the cyber security reporting to the executive and the board.
The details in security reports can be highly technical. For example, the patching performance reports might list servers, software versions, applications, vulnerabilities/CVE numbers, patches, severities, mitigations.
Detailed information is critical to security operations teams; but to be frank, relatively meaningless to all but technical risk management teams. Any business risks emerging from the patching assessment, however, may need to be translated into a clear and accurate business risk information as it might have significant business implications.
There is ongoing discussion whether this type of security information needs to be more clearly articulated in non-technical terms to be more easily understood by executives or whether those executives and directors should be more cyber literate. There is no single answer, except to say that technical information coming from security systems and controls must be adequately summarised and concise to reliably inform security risk management decision makers.
Then, there is the question of what does this technical risk information mean to the business in terms of the impacts, their effort to understand and address issues, the potential costs, the impacts on service levels, customers or even insurance premiums? To be fair, those creating the reports may simply not fully know. Yet, these factors are likely to be of particular interest to the business risk team and will require careful reconciliation of the state of the security controls and their potential impact on key business critical IT assets and systems.
As boards, stakeholders, customers and cyber insurers demand greater visibility, clarity and frequency of security information reporting, these bottlenecks need to be considered and resolved in any cyber risk management process.
Whether the audience is internal and expecting a periodic report, an insurer demanding evidence of security controls to set cyber insurance premiums, or a customer seeking confirmation of your cyber security posture, the demand for timely cyber security information will only increase.
The effort and expertise needed to manage the reporting process, from data gathering to interpretation and then presentation, is significant and requires a common risk management process to support the efforts of each of the multiple interdependent stakeholders. Finding ways to automate these processes in a highly dynamic risk environment is vital for a systematic, accurate and timely cyber security decision making and oversight.
If time can be saved in the data collection and reporting processes, it might just allow work to be undertaken that can enable concerted “risk management wide” focus on finding, mitigating and reporting on performance improvements.
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.