Intelligent CIO Europe Issue 4 - Page 99

//////////////////////////////////////////////////////////////////// t cht lk “ A KEY CONTRIBUTING FACTOR TO WHY WE HAVE NOT SOLVED THE BASICS OF SECURITY IS THAT WE HAVE PLENTY OF TOOLS TO AUTOMATE THE GENERATION OF DATA BUT FEW, IF ANY, TOOLS TO AUTOMATE THE REST OF THE PROCESS. It seems like every CISO I speak to says, ‘I have every security tool’. While this may be a slight exaggeration, the premise is sound. Most of us do have plenty of security and other data being collected through the plethora of tools we have. The problem relates to the fact that nothing joins all of the data from the tools into one place and one framework to enable us to understand what our risk posture is. Instead, I was forced to look at each security area and the assessment tools used in an isolated manner. I needed all of the data joined up so I could conjure up a true picture of risk. Gaining trust in the data I have found that everyone having trust in the data being used for security is a prerequisite to being able to have a fruitful discussion on the security issues. This is more obvious from the security team’s perspective, but even more important for those in the company outside of security who own the responsibility to fix or maintain the data. Its key to remember that most security, at any company, is done by people outside of security. It’s the infrastructure teams who patch systems, the developers who write secure/or insecure code, it’s people all over the company who authorise privileged access. So the first few months of using this consolidated data was spent mostly arguing over the validity of the data and we had setbacks. On one occasion, a certain region of the world did not report on vulnerability data correctly and I reported improved results to the Board, only to have to retract this information in the next meeting. Losing trust takes a long time to recover from. Measures must be taken to ensure that the data being used is of the highest quality so that the discussion can move on from the quality of data to the risks that need to be addressed. So as I was pulling together this security data from many sources, I had to put in controls to help ensure that duplicate information was removed, gaps were identified (e.g., are your scanners scanning all the devices or only some portion) and we had clear definitions on what we were measuring (e.g. all devices or just servers). Automation of the processes A key contributing factor to why we have not solved the basics of security is that we have plenty of tools to automate the generation of data but few, if any, tools to automate the rest of the process: the collection and unification, the prioritisation, the driving of remediation and the ability to automatically track that status. As I began the journey to address enterprise cyber hygiene permanently, I initially focused on doing it manually. I pulled people from other security work and had them focus on pulling the data for a particular security area, say; system vulnerabilities. They pulled data from nearly a dozen sources and then attempted to clean the data so it was complete and accurate. It proved difficult to do and required several revisits and too much time to get acceptable results. Then it had to be enriched with ownership data and put into reports for Board and executive reporting. This manual approach proved to be impossible for me and my team to keep up with monthly. By the time we had one month completed, it was too late to start on the next. Thus, we had no choice but to automate. As we began to develop process automation around security areas, we discovered several benefits: speed; as we had repeatable automated processes, fewer errors; as we build in logic to catch errors, and greater insights; as the computer saw many things we did not. Another benefit that we didn’t initially anticipate was the efficiency gains from less audit disruptions. As we allowed the second line of defence, audit and the SOX team to start using the tool, they quickly began using this data and stopped doing their own assessments/ testing. That saved time not only for that team, but also for the IT teams that had to provide that information. To summarise, I find it very interesting that the very thing I complained about most; not enough resources to address all these emerging security issues, was under my own control all along. By solving the enterprise cyber hygiene basics, I was able to do much more with the same, or fewer, resources. And I think that is, or will become, an expectation of all CISOs in the future. We cannot opt-out of running our organisations as efficiently as possible when all the other parts of the company are being compelled to do so. So, think about risk management embedded in security, automation of manually-intensive operations and bring all security data into one unified framework that is usable to make decisions and move forward. And if you do, you just might get what you need. n INTELLIGENTCIO 99