EXPERT OPINION stopped doing their own assessments / testing . That saved time not only for that team , but also for the IT teams that had to provide that information .
Measures must be taken to ensure that the data being used is of the highest quality so that the discussion can move on from the quality of data to the risks that need to be addressed .
Automation of the processes
A key contributing factor to why we have not solved the basics of security is that we have plenty of tools to automate the generation of data but few , if any , tools to automate the rest of the process : the collection and unification , the prioritisation , the driving of remediation and the ability to automatically track that status .
As I began the journey to address enterprise cyber hygiene permanently , I initially focused on doing it manually . I pulled people from other security work and had them focus on pulling the data for a particular security area , say , system vulnerabilities . They pulled data from nearly a dozen sources and then attempted to clean the data so it was complete and accurate . It proved difficult to do and required several revisits and too much time to get acceptable results . Then it had to be enriched with ownership data and put into reports for board and executive reporting .
This manual approach proved to be impossible for me and my team to keep up with monthly . By the time we had one month completed , it was too late to start on the next . Thus , we had no choice but to automate .
As we began to develop process automation around security areas , we discovered several benefits : speed , as we had repeatable automated processes ; fewer errors , as we build in logic to catch errors ; and greater insights , as the computer saw many things we did not .
Another benefit that we didn ’ t initially anticipate was the efficiency gains from fewer audit disruptions . As we allowed the second line of defence , audit and the SOX team to start using the tool , they quickly began using this data and
To summarise , I find it very interesting that the very thing I complained about most – not enough resources to address all these emerging security issues – was under my own control all along . By solving the enterprise cyber hygiene basics , I was able to do much more with the same , or fewer , resources .
And I think that is , or will become , an expectation of all CISOs in the future . We cannot opt-out of running our organisations as efficiently as possible when all the other parts of the company are being compelled to do so .
So , think about risk management embedded in security , automation of manually-intensive operations and bring all security data into one unified framework that is usable to make decisions and move forward . And if you do , you just might get what you need . u www . intelligentciso . com | Issue 01
43