“Recent and well-publicized cyber-attacks have highlighted that a big part of winning at security is ‘getting the basics right’.”
Quite rightly, many in the security industry wince a bit at sentences like the one above. Why? Because in reality, the foundational security controls that are collectively referred to as ‘cyber hygiene’ are anything but basic to implement well, and anything but easy to get right consistently - especially at enterprise scale.
Ultimately, cyber hygiene is the risk-based implementation of controls that the business runs on (e.g. people, machines, applications, etc) – and the continual maintenance of those controls in line with changes in risk exposure. Ideally this would be based on accurate and current knowledge of a firm’s exposure to vulnerabilities and threats. However, in many firms, the way that risk is assessed means this is not the case.
Risk assessments are often done quarterly (in some cases, yearly), and typically involve manually collating data from lots of different people. Their output represents a point in time snapshot through what is usually a limited cross-section of the business.
This is not only true of assessing risk, but it’s also true of assuring that the controls that should be in place are in place, and that they’re operating as intended. As the head of cyber risk at a US bank told me recently at a conference: “All the marketing hype today is about detecting threats with Artificial Intelligence and Machine Learning. But right now, there is no single place our CISO can go to see ‘What is the status today of the health of all our controls?’ They have to ask 20 people to get that, and wait about 2 weeks for an answer.”
In the last year, four converging trends have led security teams to re-assess how they measure and improve risk exposure, with a particular view to automating the most time-consuming elements of gathering, correlating and analyzing data so they can monitor the performance of their controls continuously, and optimize them when required.
- Boards are now switched on to the fact that maintaining cyber hygiene is table stakes for mitigating unacceptable operational and financial impacts. In a recent Forbes article, James Lam, a Board member of eTrade listed his top 5 recommendations for cybersecurity and risk management. Number one on the list? “Double down, or triple down, on the basics.”
- Regulatory scrutiny is no longer just focused on what controls are in place; increasingly firms face questions about how effective controls are, how this is established and how appropriate the frequency and method of assurance is.
- Every enterprise now has multiple modes of IT operations across legacy and cloud environments. This introduces a huge amount of variance that risk assessments need to be tailored for. Teams of people with spreadsheets and clipboards simply cannot keep up with the scale and pace of change.
- Commercial technologies that score organization’s cybersecurity ‘from the outside in’ using data available from the internet have become a must have for CISOs, not only to evaluate third parties, but also see what their own business looks like. As one head of security audit told me: “You have to know your cybersecurity credit rating – there’s really no option.” The flip side of this is that CISOs are now facing questions from insurers, and business partners based on what those technologies are saying. To ensure a balanced conversation, companies know that an ‘inside out’ perspective is critical, and that it has to be more comprehensive and rigorous to support challenges in what ‘outside in’ data purports to show.
In view of these trends, a number of firms are now creating roles with titles like ‘Head of Continuous Controls Assurance.’ Their goal is to find ways of applying data analysis to telemetry from security and IT technologies to give the security team ‘always on’ visibility into how their defenses are performing, and also reduce the pain of regular, expensive, slow, invasive, inaccurate and subjective audit exercises.
That’s not to say this an easy task. Once you hit the level of thousands of machines or users, it becomes fiendishly difficult to join data together from all the sources that are relevant. That’s before you’ve even got to the problem of using that data to paint a clear picture of risk (which can often feel like moving deck chairs on the Titanic).
However, the pay-offs for doing this are huge: increased efficiencies, better information for prioritizing where teams focus, less time spent doing assessments and more time doing security make it a no-brainer.
All of these this explains why automating cyber hygiene is a top priority for so many organizations in 2018. Because the more frequently you measure and improve cyber hygiene, the more data you use, and the more joined up that data is, the better insight and evidence you have to reduce business exposure to compromise and impact.