“I process billions of dollars of transactions per week. Each quarter my control functions in fraud, compliance and security bring me a report about what went wrong and what needs to improve. With instant payments, [redacted], and all the fin-tech we’re adopting, I need to run my business today, using today’s information.”
A few months ago, my inbox pinged with a note from a friend who was working on the security side of lots of buzzwordy projects for a firm that sits at the core of the financial ecosystem. The entirety of the text was the quote above. The subject line was simply: uh-oh cio
Over the last year at Panaseer, we’ve heard lots of similar comments in conversations with execs who head up business lines and technology functions. They need meaningful, timely, data-driven insights about cybersecurity — and they want them by yesterday.
This is for two reasons.
First, they all know it’s getting harder to make effective, defensible management decisions if they don’t understand what data from the various technologies that make up their operating environment is telling them.
Second, they know that with all the moving parts that contribute to risk exposure, the ability to prioritise budgets and people for best result means understanding changes in their environment day-to-day and week-to-week — then being able to ‘run their business’ with as much automation as possible off the back of what data tells them.
Security leaders are acutely aware of the need for automation of risk measurement, management and communication. An obvious reason is that manually preparing reports drains precious time from already scarce headcount. Less often talked about is the fact that old-school ways of doing risk assessments and making go/no go decisions that affect business and/or IT processes have reached breaking point as they face an onslaught from new IT operating models. Example: attaching security team members as consultants to manually ‘assess risk’ across multiple app dev projects is simply unworkable when code is moving into production at the speed of a devops pipeline.
Sure, some security teams have groovy-looking ‘dynamic dashboards’ for executive reporting. But peer underneath them and you’re likely to find they’re built off spreadsheets that are filled in over a period of several weeks by someone whose job description definitely didn’t include ‘Running around all our control functions asking for data and then dealing with the horror of a spreadsheet so old no one knows who wrote the macros’.
Unfortunately, teams looking to solve this problem are stuck between a rock and a hard place. To the right of them, there’s a plethora of technologies dedicated to generating tactical alerts, (and yet more dedicated to triaging those alerts to reduce abysmal false positive rates). To their left, there’s ‘risk management software’ that’s built on legacy technology, which lacks the flexibility needed to analyse data at the speed and scale needed to automate security risk management decisions across the lifecycle of business and IT processes.
This has left a huge gap in the capabilities firms need to measure, manage and communicate cybersecurity risk at the speed of business. And without the right tools to do data-driven risk management at enterprise scale, security teams are struggling to keep up.
@panaseer_team is changing that.