//////////////////////////////////////////////////////////////////// t cht lk
“
A KEY CONTRIBUTING FACTOR TO
WHY WE HAVE NOT SOLVED THE BASICS OF
SECURITY IS THAT WE HAVE PLENTY OF TOOLS
TO AUTOMATE THE GENERATION OF DATA BUT
FEW, IF ANY, TOOLS TO AUTOMATE THE REST OF
THE PROCESS.
It seems like every CISO I speak to says, ‘I
have every security tool’. While this may be
a slight exaggeration, the premise is sound.
Most of us do have plenty of security and
other data being collected through the
plethora of tools we have.
The problem relates to the fact that nothing
joins all of the data from the tools into one
place and one framework to enable us to
understand what our risk posture is. Instead,
I was forced to look at each security area
and the assessment tools used in an isolated
manner. I needed all of the data joined up so
I could conjure up a true picture of risk.
Gaining trust in the data
I have found that everyone having trust in
the data being used for security is a prerequisite to being able to
have a fruitful discussion on the security issues. This is more obvious
from the security team’s perspective, but even more important for
those in the company outside of security who own the responsibility
to fix or maintain the data. Its key to remember that most security,
at any company, is done by people outside of security. It’s the
infrastructure teams who patch systems, the developers who write
secure/or insecure code, it’s people all over the company who
authorise privileged access.
So the first few months of using this consolidated data was spent
mostly arguing over the validity of the data and we had setbacks.
On one occasion, a certain region of the world did not report on
vulnerability data correctly and I reported improved results to the
Board, only to have to retract this information in the next meeting.
Losing trust takes a long time to recover from. Measures must be
taken to ensure that the data being used is of the highest quality so
that the discussion can move on from the quality of data to the risks
that need to be addressed.
So as I was pulling together this security data from many sources, I
had to put in controls to help ensure that duplicate information was
removed, gaps were identified (e.g., are your scanners scanning all
the devices or only some portion) and we had clear definitions on
what we were measuring (e.g. all devices or just servers).
www.intelligentcio.com
Automation of the processes
A key contributing factor to why we have not solved the basics of
security is that we have plenty of tools to automate the generation
of data but few, if any, tools to automate the rest of the process:
the collection and unification, the prioritisation, the driving of
remediation and the ability to automatically track that status.
As I began the journey to address enterprise cyber hygiene
permanently, I initially focused on doing it manually. I pulled people
from other security work and had them focus on pulling the data for
a particular security area, say; system vulnerabilities. They pulled data
from nearly a dozen sources and then attempted to clean the data so
it was complete and accurate. It proved difficult to do and required
several revisits and too much time to get acceptable results. Then
it had to be enriched with ownership data and put into reports for
Board and executive reporting. This manual approach proved to be
impossible for me and my team to keep up with monthly. By the time
we had one month completed, it was too late to start on the next.
Thus, we had no choice but to automate.
As we began to develop process automation around security
areas, we discovered several benefits: speed; as we had repeatable
automated processes, fewer errors; as we build in logic to catch errors,
and greater insights; as the computer saw many things we did not.
Another benefit that we didn’t initially anticipate was the efficiency
gains from less audit disruptions. As we allowed the second line of
defence, audit and the SOX team to start using the tool, they quickly
began using this data and stopped doing their own assessments/
testing. That saved time not only for that team, but also for the IT
teams that had to provide that information.
To summarise, I find it very interesting that the very thing I
complained about most; not enough resources to address all these
emerging security issues, was under my own control all along. By
solving the enterprise cyber hygiene basics, I was able to do much
more with the same, or fewer, resources. And I think that is, or will
become, an expectation of all CISOs in the future. We cannot opt-out
of running our organisations as efficiently as possible when all the
other parts of the company are being compelled to do so.
So, think about risk management embedded in security, automation
of manually-intensive operations and bring all security data into
one unified framework that is usable to make decisions and move
forward. And if you do, you just might get what you need. n
INTELLIGENTCIO
99