TEISS guest blogger, Piers Wilson of Huntsman Security, explains why the key to organisational information security is having the right information in an easily accessible format – a cyber security scorecard.
Cybersecurity is a key focus for all businesses – after all, falling victim to a hacker can cause permanent and far-reaching damage. This was clearly demonstrated by the UK government’s cyber security breaches survey, which showed that 43 percent of businesses were breached in 2017.
Yet despite growing awareness, it is questionable as to whether anyone beyond the IT security team really understands what’s going on within an organisation. In addition, do cyber teams truly have a full overview of the status of all systems all the time? With limited visibility it is hard to judge what to improve, where to invest, and whether special attention should be given to particular areas to avert a potential risk. With the stakes as high as they are, this lack of clarity cannot be the norm.
Shining a light on IT security
The CISO and their team have the best overview of cyber threats in most organisations. However, in many cases they use complex technical language, which can make it harder for the rest of the business to understand. Add to this the fact that many employees simply don’t think they’ll be targeted, and so have little reason to learn or understand the terminology, and it’s easy to see why a lack of understanding can make some businesses easy pickings for hackers.
Quite often the level of comprehension of cyber risk is even low at C-Suite level, due to a lack of awareness or even interest. This makes the CISO’s job much harder when justifying higher investment or conveying cyber risk.
As such there is a need for a clear way of measuring, explaining, reporting and highlighting cyber risks. One option is to put in place a process that automatically categorises the risks and the level of protection the company has. This could be mapped back to specific tools or processes – for instance, best practices such as patching, restricting administration rights and creating backups – using an established set of criteria, for instance from Government, law enforcement or intelligence organisations.
Ideally, cybersecurity performance should then be conveyed through visual means – much like a scorecard. This needn’t be complex: simple “traffic lights” or percentage scoring systems will give enough information to educate the wider organisation and the C-Suite as to what levels of achievement are, what positive changes need to take place, and justify future investment into new technologies.
Continually reducing risk
The use of simple, visual indicators for cybersecurity posture would also ensure that routine but vital tasks don’t fall through the gaps – even when the cybersecurity team is focussing on other issues. Patching is one clear example: attackers are always looking for a new exploit or technique, so not keeping systems patched up to date could leave the business vulnerable to known attacks. However, if the team is already busy doing other tasks, it is something that could be easily missed.
A visual indicator, that clearly and simply signposts whether basic but vital tasks have been performed on time will reduce the risk of these being missed. While simple on the face of it, in reality this could make a huge improvement to the cybersecurity posture of many organisations.
Beyond the business
Having an easy way to understand an organisation’s level of cybersecurity protection – its defensive posture – has other benefits too. Today when doing business with other organisations, it can be hard to determine whether sharing data could increase the cyber risk for any of the parties – beyond conducting a costly and cumbersome individual audit of the business. Putting in place technology that quickly outlines the risk profile of a company can help to show business partners or suppliers that everyone is meeting a minimum level of security.
Partners might still want to follow up with a full audit, but all parties can be much more confident in the results. This builds trust between organisations and ensures both sides understand any potential risks in sharing and protecting data.
In addition, with cyber-insurance becoming a necessity for many organisations, it can make it easier for insurers to measure effectively that a business has reached and is maintaining a certain level of protection. In a similar fashion to ‘black boxes’ fitted to cars that monitor how safely the car is driven, a ”cyber-scorecard” can reduce premiums by making actual risk levels much more transparent and easier to base underwriting decisions on. It could also be used to offer a reduction in premiums to organisations that continually work to reduce the cyber risk they face – further incentivising positive change and making breaches (and hence pay outs) less likely.
Back to basics
Despite there being more recognition of the cyber risks that businesses face, there still needs to be a better way of monitoring and understanding the risk – both within security teams and across the wider organisation. A ‘one stop shop’ that provides an easy to understand overview can help to guide decisions about cybersecurity, whilst building visibility and trust across the organisation. This should make it easier to justify investment from key stakeholders by showing improvements and issues, whilst making it easier to work with other companies who you share data with and ensuring cyber insurance premium rates are more appropriate.
Piers Wilson is Head of Product Management at Huntsman Security.
Huntsman Security provides enterprise cyber security solutions to fulfil both compliance and advanced security objectives as well as Computer Assisted Audit Technology (CAAT) to enable the ongoing measurement of an organisation’c cyber posture.
Illustration under licence from iStockPhoto.com, credit kevinjeon00