Often, CISOs struggle to understand and share precisely what is happening across their estate at all times. To support business change or user demands, organisations have evolved highly sophisticated, interconnected infrastructures, some of which are internally owned and some run by third parties.
This growing lack of control and visibility directly impacts how informed and prepared an organisation is to deal with either attempted or successful attacks. If a CISO wants to have an informed business conversation with their executives about risk, they need the same level of confidence in their presentation of cyber performance data and reporting as the finance director would have in the numbers they bring to the board. Organisations that invest in creating a concise and accurate view of their cyber security state and can communicate this clearly with the rest of the business, see the benefits in terms of confidence and more informed, collaborative decision making around the value of cyber investment.
Assessing your CSM: What are the challenges?
In the last two decades the cyber security landscape has grown rapidly, indiscriminately and when compared to some other sectors, erratically. Outside of IT, its traditional home, cyber risk touches every aspect of a modern business and involves departments as diverse as HR, through their responsibility for cyber awareness training, to risk experts in Finance, to compliance and audit and increasingly resilience and business continuity professionals - and an organisation’s data is similarly dispersed.
So, with all of these stakeholders involved and with so much to lose - you would think more business would be eager to establish “just how good is our cyber security?”.
All too often, those in the unenviable position of reporting the organisation’s current cyber state to the board will approach this question from a rather narrow or specific view point. Often it will be in the context of a specific compliance regime or accreditation, “we’re ISO27001 compliant so we’re OK” or based on recent technology investments, “we’ve just spent £250,000 on an endpoint tool so we’re OK”.
To counter this type of very narrow, inward looking reporting, there have been attempts to build a standard matrix of CSM indicators to help organisations analyse and benchmark themselves against best practice in their never ending cyber security journey. But until now there have been significant inconsistencies in the content and delivery of CSM reporting – between countries, sectors, size of company – even between security professionals within a single organisation. The areas that a business must explore to assess its CSM are:
- How to perform and assess the impact from gap analysis of risk assessment
- How to measure the effectiveness of policy implementation
- How to build and evaluate a consistent audit process against a relevant control set or compliance regime
- How to deploy and measure the impact of technical penetration tests and Red Team exercises
- How to create and assess the value of risk treatment plans
All these measurements are valid in and of themselves. However, these metrics do not answer the question – how good is our cyber security as there is no business context. Collating and correlating this information into an objective and agreed industry score against best practice, or more importantly for some organisations against its competitors, has proved more elusive.
The reasons for this are many and complex. The evolving risk landscape and the technology developed at breakneck speed to counter it, has led to organisations acquiring a smorgasbord of security solutions, services and suppliers. Many of these solutions will have their own reporting function, which may or may not be reviewed regularly, their own vendor point of contact, owner, interface into the business and assigned budget. The result is impenetrable complexity with multiple vendor conversations, stressed management overhead, conflicting advice due to limited context, and an increasing number of gaps, crossover and duplication.
In our experience, the complete lack of integration between solutions ultimately means that an organisation will get very little value from over half of its cyber security spend. Arguably worse, they will have no way of being able to decide which solution best fits the business priorities or will drive the organisation’s CSM. When you are responsible for cyber risk it can be very difficult to avoid spending on what is being presented as the next silver cyber security bullet being fired by the large multinational security vendors. Invariably, as there is no silver bullet, what organisations get is just another set of reports, increased complexity and further decreased visibility to the network. This cycle has been repeating itself for over a decade and the result is that any hard fought incremental increase in budget is immediately absorbed – ironically robbing security teams of the agility to respond to the next threat to emerge.
What is the answer?
In our experience, this lack of integration between solutions means organisations will get very little value from over half of their cyber security spend. Worse, they will not even have a way of deciding which solution best fits the business priorities, or will drive the organisation’s CSM. This continual spending without clear direction and results leads to the decrease in the agility of security teams to respond to the next threat that emerges.
Throughout multiple industries we have seen companies find themselves in a never-ending cycle of testing, part-fixing, requesting budget, spending budget, testing – repeat. Though at no point do these companies or the individuals feel confident that every penny of investment is driving CSM.
CSM requires businesses to look beyond security technologies and processes and examine indicators such as behaviours, events, systems and potential threats across the entire organisations. CSM owners need to be able to articulate across the business, especially to the board, the state of preparedness and organisational activity across five areas:
- Compliance and accreditation
- Technical compliance
- Transformation and maturity
- Events, alerts and threats
- Governance and policy
Being able to analyse and benchmark your organisation in these areas and their sub domains in a consistent way allows an organisation to create a contextual and prioritised transformation plan to improve the overall CSM. Then, using the same framework and associated performance dashboard, CISOs, IT Security managers and CIOs can track improvements and report confidently and knowledgeably to everyone in the business quickly highlighting areas of improvement and the value of these gains as well as building a positive, informed narrative around areas that require improvement.
The CSM market remains immature. Solutions often omit critical components or fail to provide automated systemised reporting for elements such as penetration testing outputs or threat intelligence. Of course not all data can automatically feed into a CSM dashboard as there will always be the need for expert human analysis and evaluation, for example in areas of compliance such as PCI Data Security – but organisations must aim to standardise and automate as much data input as possible.
At CNS, we’ve helped a number of clients unravel the complexity of their estates to establish greater control and visibility of performance – supporting them through the processes of building and then running their CSM programmes. Clients value our independent advice to plan and deliver CSM dashboards that meet their specific business, risk and compliance requirements. And whether organisations have struggled long and hard with cyber or are just beginning - the value of CSM is clear - transforming the on-going business conversation about cyber risk, return on investment and measurable, comparative improvement.
To find out more about how CNS Group can help you develop your organisation’s CSM, click here.
Shannon Simpson, CEO, CNS Group
Image source: Shutterstock/Sergey Nivens