Intelligent CISO Issue 1 - Page 42

E R T N P X E INIO OP this: access to the right information at the right time, trust in the data I was using and automate as much of the process as possible. Getting the right information Getting to the right information was a big hurdle. For each security area I focused on, I had to consolidate all of the relevant data. That sounds easy but has proven to be much more difficult than anticipated. Bringing data together from disparate security and other tools and unifying/normalising that data is not easy and can be very time-consuming. I also needed to enhance the data with line of business details, geography, criticality to the company, etc. If we are to make prudent decisions on what to fix and what not to, we must have the right information to prioritise the information. It’s not about fixing everything but fixing the right things that most reduce risk for the dollar/pound. It seems like every CISO I speak to says: ‘I have every security tool’. While this may be a slight exaggeration, the premise is sound. Most of us do have plenty of security and other data being collected through the plethora of tools we have. The problem relates to the fact that nothing joins all of the data from the tools into one place and one framework to enable us to understand what our risk posture is. Instead, I was forced to look at each security area and the assessment tools used in an isolated manner. I needed all of the data joined-up so I could conjure up a true picture of risk. Gaining trust in the data I have found that everyone having trust in the data being used for security is a prerequisite to being able to have a fruitful discussion on the security issues. This is more obvious from the security team’s perspective, but even more important for those in the company outside of security who own the responsibility to fix or maintain the data. 42 A key contributing factor to why we have not solved the basics of security is that we have plenty of tools to automate the generation of data but few, if any, tools to automate the rest of the process. It’s key to remember that most security, at any company, is done by people outside of security. It’s the infrastructure teams who patch systems, the developers who write secure/or insecure code, it’s people all over the company who authorise privileged access. So, the first few months of using this consolidated data was spent mostly arguing over the validity of the data and we had setbacks. On one occasion, a certain region of the world did not report on vulnerability data correctly and I reported improved results to the board, only to have to retract this information in the next meeting. Losing trust takes a long time to recover from. Measures must be taken to ensure that the data being used is of the highest quality so that the discussion can move on from the quality of data to the risks that need to be addressed. So, as I was pulling together this security data from many sources, I had to put in controls to help ensure that duplicate information was removed, gaps were identified (e.g. are your scanners scanning all the devices or only some I find it very interesting that the very thing I complained about most; not enough resources to address all these emerging security issues, was under my own control all along. portion?) and we had clear definitions on what we were measuring (e.g. all devices or just servers). Issue 01 | www.intelligentciso.com