3 minute read
Making cyber risk reporting fit for purpose.
from TBtech April Edition
by Launched
For those of us involved in IT security, it can be painful to admit, but compared to the reports that the board gets from other areas of the business, cyber risk assessments are poorly understood and fail to garner support.
They fall so short because they lack the necessary business context, and often present threats in isolation. The reason for this is that the cyber teams in an organisation will typically gather static, sample data that cannot give anything like the comprehensive assurance a board needs or demonstrate a compelling narrative.
Advertisement
To add insult to injury, this data is presented poorly – it is either difficult to understand, isolated from other areas of risk, or both. It fails on every level for the board that will be liable for the attack and bear the indirect fall out of substantial loss of reputation.
The Roots Of The Issue
Underneath this problem of poor reporting is the false assumption that an organisations ‘cyber tooling’ – the technology to identify, track, capture and remediate threats - is both up to date, and integrated. The hopeful theory is that security teams have a current, holistic view of all risks. The reality in practice is multiple, isolated pieces of technology, based on out-of-date data.
To give an idea of the scope of this issue: in early 2023, we surveyed a range of IT decision-makers in the UK and asked them how deep into the technology estate these businesses had to dive, in order to ensure they had representative and accurate figures. 15% of businesses reported that they needed to access more than 90% of their technology, a further 37% said they needed to access between 70 and 90% and another 25% said they needed to access between 50 and 70%.
Consequently, the best the team can do is a set of single point metrics based on the most recent data. There is no visibility into the overall effectiveness of the multiple tools that a business has invested in. Organisations should approach cyber systems as a combined, dynamic mesh and not as individual use technologies. But they do not. Hence the issues with reporting to the board.
The biggest question is how bad is this situation? Our research showed that 47% of respondents report a general level of ignorance of key risk indicators throughout the business.
Overcoming this situation is becoming a top priority for many enterprises; partly because of the demands of regulation, partly due to the ever-growing array of threats that need to be tracked and reported on, and partly because existing investment in cybersecurity systems has been found to deliver poor returns.
Most CISOs are realising that this lack of integration is a major challenge. This does not make them ‘bad’ CISOs but reflects the reality that without the ability to automate reporting across multiple technologies in real time, using 100% of the data, it is virtually impossible to do anything other than static snapshots. And these snapshots become obsolete within seconds.
Getting It Right
Successful cyber risk reporting needs a system that firstly spans multiple sources, then automates the collation of data, and finally compliments the wider risk reporting requirements.
The first issue is one of being able to draw on any framework or source of data to feed the technology that generates the reports. These can be viewed as assets of a company that create data – thus there is both a risk to the asset itself and to the data it creates.
The onboarding of a new asset and the data it creates needs to be fast, easy and ‘trustable’ – which is to say there must be a high degree of confidence in the data it presents, and that the asset will not cause issues for the existing systems and sources already feeding into the risk analysis.
The second issue is a recognition that the technology must be continuous and automated, to need minimal human input on a day-to-day basis. This automation can then be made more sophisticated and valuable by automatically generating and delivering reports in line with board expectations at any given point. Typically, this is in line with compliance or audit demands, meaning that business leaders can request accurate reports on progress towards these objectives at any point.
The last point is not merely one of ensuring consistent presentation between the reporting of cyber risks and wider risks within the business, but also ensuring that the visibility and subsequent evaluation and prevention of risks is consistent.
Consolidating The Strategy Into A Single Technology
These three aspects are found in continuous controls monitoring (CCM) technology. This is a combination of software and services designed to automate cybersecurity and risk management processes, continuously monitoring the key systems and data within them, to increase operational efficiencies, enhance cyber resilience, automate compliance and mitigate risk. The simple truth is that the more a business automates, the more it removes the risk of human error.
Better visibility of assets and improved, consistent cyber risk reporting are inevitable benefits of this technology. Once this visibility and accountability are in place, it naturally follows that the security and compliance posture of the organisation will improve. Automation then enables this improved posture to evolve.
Given the huge investment in cybersecurity technology made by most businesses, the continually expanding list of cyber threats and the fact that any one of those threats is becoming more damaging, cyber risk reporting should not be allowed to go it alone.
