Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
There are bottlenecks throughout the cyber security risk management process. UK Government surveys suggest that directors are invariably unclear about the business implications of the cyber security reports they receive. Conversely, despite the challenges associated with the massive volumes of ever-changing security data, security teams believe their communications to the business are clear.
It seems that, the overhead of “security reporting” is becoming a major burden; tens of thousands of hours per year, rising frequency and even then, accuracy and clarity is increasingly coming into question. With the pressure at board level to manage the organisation’s operational resilience in response to regulatory pressures this can only increase. No wonder there are calls to standardise the process.
At the heart of why this is so difficult, is that there really are lots of obstacles that hamper the availability and assessment of cyber security report and performance data.
Cyber security is a broad discipline. While Newton’s 3rd law of physics does not apply – it is true to say that for every digital initiative there is a cyber security implication! There are so many ways to attack systems and steal data; and so many settings, controls and mitigation strategies that need to be in place to effectively protect an organisation’s cyber security posture.
Because of these variables, reporting on security performance of IT assets and systems can be a bigger task than almost any other part of business. Rather than a single CRM, finance or HR application, the security team must aggregate data from a plethora of systems: firewall configurations, anti-virus updates, privilege access management, IDS/IPS technologies, security analytics platforms, patch management, backup solutions and the network itself. And the list goes on….
So the task of collecting and reporting cyber security performance across IT systems and assets is a complex activity; made more difficult by the need for its increasing frequency.
Another issue, having gathered the data from across sub-systems, IT environments and security controls, is how to present the information reliably and with clarity.
Evidence that underpins the management and report activities must be available if required; but KPIs relating to the key security controls should provide clear and relevant information to inform the risk management process.
Most security standards contain a large number of controls or requirements, but often they are categorised into a small number of “groups”:
So typically, there is no shortage of cyber security data but it is the relevance and clarity of the information that enables effective management. Once dashboard measures or KPIs go beyond a reasonable number, the level of understanding can diminish for some users and the information gets crowded out with detail. This is particularly important for people who may not be familiar with the absolute detail but need precise information upon which to base important decisions.
Like any profession, security decisions often rely on the opinions or eminence of experts when it comes to what’s acceptable and what’s not. Their judgements can have significant cyber security risk implications so it’s important that, wherever possible, they are verifiable and evidence-based. New technologies are increasingly available to automatically measure and reliably report risk assessments and so increase the confidence levels of a cyber risk management process and better inform non-technical stakeholders.
The move towards more evidence-based objective measurements, and hard quantitative KPIs, is becoming overwhelming. Subjective anecdotal risk assessments still hold sway in some organisations but a cultural change towards evidence-based risk decisions is underway; driven by auditors and risk managers. Recently the Australian Cyber Security Centre changed its recommended risk assessment methodology noting that evidence-based judgement and opinion is far more reliable than any other objective measure.
As press reports all too frequently reveal, your cyber security posture can change overnight. A system can be secure (or at least “fully patched” and configured correctly) one minute and a new vulnerability render it vulnerable, and exploited, by a zero-day attack the next.
This is made worse with our IT environments constantly changing – configurations, software versions, files and data, user accounts. Risk assessment and reporting practices must be able to keep up with constant change in our risk environment.
Security teams need risk assessment and management solutions that can address the velocity of these changes.
Decision makers need their information in a timely manner to ensure that the cadence of their risk assessment and reporting practices adequately meet the risk management needs of their enterprise. The greater the lag between the identification of a cyber risk and its subsequent reporting, the less chance of its effective management. Equally importantly, the less reliable the cyber security reporting to the executive and the board.
The details in security reports can be highly technical. For example, the patching performance reports might list servers, software versions, applications, vulnerabilities/CVE numbers, patches, severities, mitigations.
Detailed information is critical to security operations teams; but to be frank, relatively meaningless to all but technical risk management teams. Any business risks emerging from the patching assessment, however, may need to be translated into a clear and accurate business risk information as it might have significant business implications.
There is ongoing discussion whether this type of security information needs to be more clearly articulated in non-technical terms to be more easily understood by executives or whether those executives and directors should be more cyber literate. There is no single answer, except to say that technical information coming from security systems and controls must be adequately summarised and concise to reliably inform security risk management decision makers.
Then, there is the question of what does this technical risk information mean to the business in terms of the impacts, their effort to understand and address issues, the potential costs, the impacts on service levels, customers or even insurance premiums? To be fair, those creating the reports may simply not fully know. Yet, these factors are likely to be of particular interest to the business risk team and will require careful reconciliation of the state of the security controls and their potential impact on key business critical IT assets and systems.
As boards, stakeholders, customers and cyber insurers demand greater visibility, clarity and frequency of security information reporting, these bottlenecks need to be considered and resolved in any cyber risk management process.
Whether the audience is internal and expecting a periodic report, an insurer demanding evidence of security controls to set cyber insurance premiums, or a customer seeking confirmation of your cyber security posture, the demand for timely cyber security information will grow. Recent Financial Conduct Authority policy statements in the UK, US SEC guidance, the upcoming DORA Act in the EU and new Australian Prudential Regulator Authority rules, all implicitly or explicitly require an understanding of supply chain risk so we can expect greater scrutiny and visibility of cyber security controls to become the norm.
The effort and expertise needed to manage the reporting process, from data gathering to interpretation and then presentation, is significant and requires a common risk management process to support the efforts of each of the multiple interdependent stakeholders. Finding ways to automate these processes in a highly dynamic risk environment is vital for a systematic, accurate and timely cyber security decision making and oversight.
If time can be saved in the data collection and reporting processes, it might just allow work to be undertaken that can enable concerted “risk management wide” focus on finding, mitigating and reporting on performance improvements.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.