t cht lk
“
MEASURES MUST
BE TAKEN TO
ENSURE THAT
THE DATA BEING
USED IS OF THE
HIGHEST QUALITY
SO THAT THE
DISCUSSION CAN
MOVE ON FROM
THE QUALITY
OF DATA TO THE
RISKS THAT
NEED TO BE
ADDRESSED.
needed to do in order to fulfil this: access to
the right information at the right time, trust in
the data I was using and automate as much
of the process as possible.
now being evaluated on how well I could
reduce IT risk from security, measure that
reduction and sustain it.
Before delving into how we might approach
measuring and sustaining risk reduction, it
might be useful to compare the past. Getting the right information
If we go back, say 20 years, what were the
key security risks/threats we were dealing
with? I suspect most of us would have
answered: patching, vulnerabilities, too much
access and the like. In other words, doing
the basics of security (i.e. enterprise cyber
hygiene) well. And if we asked the same
questions today, or looked at the root cause
of most breaches today, many of us would
answer the same way. Getting to the right information was a big
hurdle. For each security area I focused
on, I had to consolidate all of the relevant
data. That sounds easy but has proven to
be much more difficult than anticipated.
Bringing data together from disparate
security and other tools and unifying/
normalising that data is not easy and can
be very time-consuming. I also needed
to enhance the data with line of business
details, geography, criticality to the
company, etc.
This was my first revelation: I cannot only
focus on the newest black belt, advanced
threat that was out there. I needed to focus
on the basics of security to enable my team
to have enough time to get to the latest
threats. So this article is not about the latest
advanced threat, it’s about the basics.
98
INTELLIGENTCIO
Jim Doggett, US Vice President and CISO
at Panaseer
I knew that to become a modern CISO
and understand the constant risks in my
organisation, I would need to be able to track
and monitor my state at any given time.
There were at least three things I thought I
If we are to make prudent decisions on
what to fix and what not to, we must have
the right information to prioritise the
information. It’s not about fixing everything,
but fixing the right things that most reduce
risk for the dollar/pound.
www.intelligentcio.com