Ahead of the curve: cybersecurity trends and the future of CCM
November 26, 2020
When it comes to cybersecurity trends, savvy teams will try to get ahead of the curve. That means getting the right tools in place now.
This year saw a huge step in the right direction for Continuous Controls Monitoring, as it was included in Gartner’s Hype Cycle for Risk Management. Within that Hype Cycle, Gartner foresaw that Continuous Controls Monitoring will be essential tech for large, heavily regulated organisations in the next few years.
Most bad things happen not because we didn’t foresee the need for a control but rather that the control we thought we had in place was not present or operational when we needed it the most.
Fast forward to a few weeks ago as I read an article by security thought leader and CCM advocate Phil Venables. In it, he outlined six major themes and cybersecurity trends for the 2020s that will be seen as the differentiator for great security programmes.
His key point that inspired this blog is this:
‘We need to think of controls as code so we can do Continuous Controls Monitoring, controls assurance and move to provable security. I talk about this a lot, for a reason, that most bad things happen not because we didn’t foresee the need for a control but rather that the control we thought we had in place was not present or operational when we needed it the most.
We need to understand what controls we should have, constantly monitor for their correct presence and operation. Then we can treat failures as control incidents irrespective of whether they become security incidents.’
When he said ‘I talk about this a lot’ – I know how he feels. It’s something we here at Panaseer have been shouting about for years.
So, off the back of these two things, I thought I’d look at what the future holds for Continuous Controls Monitoring.
Let’s highlight three cybersecurity trends that CCM can help with. We are seeing more tools, more scrutiny, and more scarcity of staff. And these challenges are trending upward, which means they are getting worse.
In our research report, we have found that security teams are typically using 50+ security tools, none of which are designed to work together. This leads to data siloes, tool sprawl, and mass disconnect. Disparate data becomes a massive problem. Organisations are seeing new vendors out in the market that have found a new niche of a particular area, they make a purchase, but they don’t always turn off or re-evaluate what they already have.
What if something happens and that old tool could have helped? It’s just easier to keep it in place, right?
Well, not necessarily. More tools does not mean better security. So just buying more tools can be counter-productive.
In conversations with security and risk leaders, we are hearing that regulators are becoming increasingly demanding about the reports they receive. They want more data — more evidence — about security posture.
On top of that, regulations are becoming more stringent. Let’s take a look at the MAS Cyber Hygiene Notice. This regulation requires that banks working in Singapore must have controls present on every system. It came into effect in August of 2020. But at this moment in time, how many organisations can genuinely give evidence that every system has malware protection, patched vulnerabilities, or is conforming to internal policy?
In the next five to ten years, regulations with this kind of high specification will be far more wide-reaching, and security and risk functions will have to prove that every system has controls in place. It’s going to be increasingly difficult to respond to regulatory requests quickly and accurately. This increase in regulatory scrutiny is something we explored in more detail in our Governance, Risk and Compliance whitepaper.
Perhaps its overplayed and overshared within the industry, but the global shortage of cybersecurity professionals has not gone away. A 2019 report suggested the shortage was over 4 million. And the gap appears to be widening: ‘If talent production continues at today’s pace, businesses will continue to fall behind’, according to Forbes.
So, what’s a good way to help existing security pros get the job done? Automation.
In the research paper I mentioned earlier, we found that 36% of a security team’s time is taken up by reporting. It could be hugely advantageous to spend that time on doing security rather than reporting on security. Some organisations are using massive headcount on their security reporting capabilities. Implementing automation in security reporting can help to save time and resource.
Looking to the future
The fact is, these cybersecurity trends, challenges, call them what you like, are on the rise. As security pros we need to grow with those challenges, and hopefully outgrow them. While Continuous Controls Monitoring can’t save the world from any current or future global disasters, it can help to improve the maturity of security measurement programmes, which can get you ahead of the curve.
We talk a lot about the maturity of an organisation’s security measurement programme. Here’s a graphic from our 2020 Security Metrics Report that explains what we mean.
From this graphic, you can see that the key ingredient in improving maturity is automation.
I recently spoke with David Fairman, another CISO and Continuous Controls Monitoring advocate, about security controls coverage metrics. He spoke about two of the key ways automation can help when it comes to security measurement.
The first: ‘Automation drives consistency. When a process is automated, we know that we get accurate results time and time again. That means we have a high level of confidence in the validity of those results and the data is not in question.’ The second: ‘Reducing operational cost. The security function always needs to be thinking about how we are reducing operational costs and maximising productivity benefit.’
While this can help to address the scarcity of professionals in cybersecurity trend, how can it help with tools and scrutiny?
Well, when it comes to the tools, CCM technology uses an entity resolution process, taking data from various, disparate data sources and tools, and aggregating that data into one trustworthy inventory of entities (ie devices, people, accounts, databases). That means all the data from all your siloed tools comes together in one unified repo.
This also helps with increased scrutiny from regulators. CCM provides a view of compliance at an entity level, across the whole estate. So not just devices. Also people, accounts, applications, and all across various use cases. This allows organisations to respond to regulatory requests more quickly and accurately than ever.
It sounds good, but it’s difficult to do. Nevertheless, within the next few years, analysts expect to see wider adoption of CCM and automated security measurement.
This is because CCM can help to support world-class security metrics and measurement capabilities for organisations, helping to take them to the ‘upper intermediate’ stage of maturity. Current CCM platforms are capable of providing a view so that users can take action – your team interprets the metrics and dashboards about your organisation’s security posture, then takes steps to remediate.
Then, rather than just presenting you with the data in a way that helps you, as it currently does, CCM will be able to highlight areas of concern based on trends in the data. For instance, highlighting where a number suddenly dropped or precipitously increased. Or where you are missing critical data. Perhaps a measurement that would help gain visibility in areas that are important to you.
In the future, we hope to see organisations reaching the ‘advanced’ stage.
One day, it will automate not just the measurement and metrics, but interpret them, and take automated remedial action.
After that, it will be able to do future extrapolation, predict where control gaps or failures are likely to occur, and take action before they do.
Maybe I’m getting ahead of myself and venturing into the realm of HAL 9000, but it is certainly worth thinking about. Increasingly challenging cybersecurity trends – more tools, scrutiny, and scarcity – can be offset to some degree by embracing automation in the form of technology like Continuous Controls Monitoring.
Get in touch
If you want to see Continuous Controls Monitoring in more depth, feel free to reach out and we can set up a further discussion.