Nik Whitfield, CEO, Panaseer – a cyber security software company
Boards and security leaders alike are aware there are big problems with how cyber security risk is being reported.
KPMG’s Global Audit Committee Survey 2015 showed members were increasingly concerned about the information they receive on cyber risks – and its quality. 41% said it needed improvement. In a similar 2015 KPMG survey, more than 1,000 senior executives said cyber security needs more time on the full Board’s agenda.
Today’s challenge for the Board is “How do I make sense of the information I’m being shown to understand what that means for my business?” Meanwhile, the challenge for Security Leaders is “How do I give my Board a top down, joined up view of business risk from ‘cyber’ – and articulate how my security budget is managing that risk?”
The current reality for security teams globally is a huge amount of valuable data held in silos, tactical and manual reporting and technology that don’t integrate well. As a result, teams are fire fighting. They spend lots of time in spreadsheets, battling to make sense of data from solutions, and then more time translating that data into communications for many different stakeholders – from Executives to IT operations to audit.
What this means is that security leaders do not have the visibility they need into security risk and performance. As a consequence, it’s a struggle to prove value and give stakeholders the confidence that priorities are justified.
Many organisations are looking beyond the limits of SIEM and search / query technologies – and asking how they can get a near real time view from their security data about risk to critical assets. Rather than chasing alerts, they want to get situational awareness of their digital environment. They want to know “How are my controls performing across my environment?” – and compare ROI from those controls to block and alert on threat activity. They also want to identify threats operating above their control baseline – and verify if new technologies like UBA are delivering the value they claim. What they don’t want to do is buy yet more point solutions to answer these questions.
They also want a way to create and visualize metrics, track trends and show improvement, automate compliance reporting, give different people the view they need of enterprise and security data, and enable risk decisions that are based on more than a single piece of the risk puzzle.
There are huge opportunities at the intersection of data science, big data technology and cyber security to set a foundation for business to be able to gain control over ‘cyber’ as a business risk. Global banks are hiring data scientists and aggregating data into Hadoop environments – often for threat detection. But the value to metricize and visualize risk and security performance in order to get upstream of detecting and responding to threats and improving overall protection goes far beyond the current buzz word of threat hunting.
As organisations start to look to gain continuous visibility into risk and security performance to manage it, there are three critical questions they will have to answer to work out how able they are to take a data driven approach. What is the data we have available and its quality? What does that mean for the insight we can get? What is our gameplan to add and improve our data sources to be able to answer the questions that matter most?
Forward thinking organisations are answering those questions now, because as they are finding, adding available data into a platform on a speculative basis leads, more often than not, to a situation down the line where either the data, or the platform the data is in, means the insight they want is out of reach.