INDUSTRY WATCH
//////////////////////////////////////////////////////////////////////////
make the appropriate decisions on what to
fix and what not to. In order to make the
best decisions on remediation and to actually
affect the changes needed to improve a
company’s risk posture, you need to:
• Enrich your data with information
about ownership, geography, business
unit, management hierarchy, business
criticality, etc.
• Facilitate exploring and investigating
anomalies from multiple perspectives
• Unify/normalise the data so that there
is a consistent definition of each device,
risk, entity
Trust the data
James Doggett, CISO, Panaseer
can approach solving the basics of security.
Let’s start with a question – how much time
do you and your team spend gathering data
to make decisions, reporting to superiors
and the board, and figuring out where a
project is in terms of risk reduction? Without
doubt, most will spend an inordinate amount
of time manually gathering data that
commonly has errors.
Everyone seems to have more than enough
tools to identify security risks, in fact,
probably too many. What you’ll likely not
have is:
• Processes to bring all security risk
information together and the ability to
enrich the data so you know who owns it
and which risk is most important to resolve
• Trust in the completeness and accuracy
of the data from both your perspective
and your peers in IT and the business
• Automated processes to let you do this
over and over again so you always know
where you stand
Before beginning conversations with
anyone (within security or elsewhere in the
company) about security remediation, the
discussion always seems to start with the
quality of the data. This is especially true in
the security realm, where it’s much easier to
talk about how the data is wrong than how
to solve the security issue.
Most security teams have presented data
to the Board of Directors, only to find out
later that data was missing a key part of
the company or otherwise not accurate. It’s
tough to regain that trust at that level once
lost. Also, many of those who perform the
actual remediation of security risks (e.g., IT
and Application Development teams) tend to
only focus on the quality of the data until the
security teams can prove their data is accurate
and relevant. So, it’s critical to build controls
into the gathering, consolidation, enrichment
and presentation of security-related data. You
must have accurate and timely data to be
relevant to the business and leadership.
Need for automation
And while last, this may be the most
important factor to addressing the issue of
enterprise cyberhygiene. Trying to do this
manually (especially every month or more
frequently) is too expensive, too inaccurate
and prone to errors, and from what I
experienced, too slow to be relevant. Security
teams have neither the funding nor the
staffing to keep trying to do this manually.
Why is it that industry has developed endless
tools to identify all the problems in security,
but so little to manage the rest of the
processes? Where is the automation to help
security teams identify the security efforts
that provide the greatest ROI? Where is the
automation to help them have complete
and accurate data at their fingertips all
the time? And where is the automation
that allows them to measure their progress
continuously? Point solution after point
solution may reduce risks, but they will not
reduce the overall company security risk
posture. Automation is required to solve
these basics of security.
Being one of the more regulated industries
we deal with, the financial sector also seems
to carry the highest burden of expectation.
Having the right information, in the right
format at the right time, aligned to a security
framework, will go a long way towards
demonstrated sufficient controls over the
security landscape.
It’s time that the basics became the new
shiny sexy initiative – with refined and
strategic enterprise cyberhygiene; you really
can improve your cyber-risk posture and
sustain those results. n
The right data at the right time
When I worked as a CISO, I found that we
had no shortage of security information
coming from the plethora of security and
network tools in place, but what I needed
was the right information to make security
risk decisions on a timely basis. To accomplish
this, I needed to join all the data from all the
disparate security and other tools into one
place and into one framework to allow me
to understand the company risk posture and
76
INTELLIGENTCIO
www.intelligentcio.com