Cybersecurity measurement trends for 2021
February 17, 2021
How can organisations get better visibility into their assets and controls? How can they save on time and resources? How can they get better trust in their security data? The answer, as with many things, is easier said than done.
Towards the end of last year, I wrote a bit about cybersecurity trends and the future of Continuous Controls Monitoring (CCM). This time around, I wanted to take a look back at some of our reports and studies to look at trends in security measurement that will continue to be top of mind in 2021.
Over the last few years, in doing studies and talking with industry experts and customers, it has become clear that there are three continuing trends we are seeing when it comes to security metrics and measurement.
These trends revolve around three key themes: visibility, resources, and trust.
Visibility is the key to quality security measurement
There is an increasing need for continuous visibility for security measurement. A manual, point-in-time approach only provides a snapshot of an organisations’ true security posture – it’s outdated and no longer stands up to increasing scrutiny.
Research conducted for the Security Leaders Peer Report indicates that lack of visibility is a common issue that impedes improvement to cybersecurity posture in an organisation. Similarly, the Forrester study on Continuous Controls Monitoring found that organisations have two top challenges when it comes to their security tools: understanding gaps in controls coverage and getting a comprehensive list of assets. In short, they lack visibility into their assets and controls.
In the first instalment of our Metric of the Month series, we discussed controls coverage with David Fairman, an experienced CISO, adjunct cybersecurity professor, and member of our advisory board:
‘The only way you can have true confidence in your overall security programme is to measure not only controls operating effectiveness, but also by measuring your controls coverage. I want to know where I have gaps. As security professionals, the things that get you in trouble are the things you don’t know about.’
Security measurement takes up precious resources
Security functions are wasting valuable time and resources on lengthy, error-prone manual processes. This challenge is particularly pertinent given the perceived shortage of security professionals. Our Security Metrics Report found that the second biggest challenge when producing security metrics was the time and resources required, with 21% of responses. It’s not surprising that that’s the case when 71% of organisations said they were using in-house solutions to for security measurement and reporting.
Our Security Leaders Peer Report found that 70% of organisations use manually compiled data for reporting and 36% of a security team’s time is spent on reporting. The Forrester report found the same: ‘With all the disparate security technology companies deploy, they rely on manual efforts to aggregate data for reporting. Over half of companies in our study spend days, weeks, or months on reporting on a quarterly basis. The amount of time security teams spend on this easily automated task could be spent on more strategic security initiatives.’
In short, security teams are spending their valuable resources on security measurement when it can be automated to increase productivity. Another influential security leader, Phil Venables, CISO at Google, said in a recent article that ‘cyber-workforce challenges (skills and scarcity) will be better addressed by 10x improvements in productivity vs only 10% improvements in the numbers of professionals’.
Trust is a must for security measurement
Security leaders don’t trust the underlying data they’re using to report on security and compliance. This has been an ‘old’ challenge for some years, but it persists heavily. It came up in all our reports and several conversations with security thought leaders, hence why it is still considered a trend in security measurement.
The Security Leaders Peer Report found that 89% of large enterprises have concerns based on lack of visibility and insight into trusted data. The aforementioned visibility trend has a close link to trust because ‘security data is either unavailable or not up-to-date; the onus is on the security and IT teams to collect and collate data to report on the overall cybersecurity posture’.
Similarly, the Security Metrics Report found that the top challenge when producing security metrics was ‘trust in the data’, with a considerable 37% of responses. To dive a little deeper into that report, data trust was the biggest challenge when producing metrics for all kinds of purposes and stakeholders, whether it was regulators, auditors, IT, GRC, or the board.
As with the other trends, this one has come up several times in discussions with security leaders. In a discussion with Andrew Jaquith, author of Security Metrics: Replacing Fear, Uncertainty and Doubt, he said that it’s crucial to have trust in the underlying data you’re relying on for security measurement: ‘The keys are consistency and cadence. Document your scope. Demonstrate the chain of custody of the data. Show the lineage: how you got it and where you got it from. Describe what you did with it: how you transformed it, how you handled it, and what you did in all the intermediary steps. The clearer the paper trail, the more trustworthy it’s going to be.’
David Fairman also mentioned this trend when we caught up to discuss security controls coverage. He noted that if ‘questions arise around data integrity discussions about reducing risk devolve’.
Similarly, when I spoke with one of our customer CISOs, he mentioned that it’s dangerous to trust a single tool, so it’s important to reconcile data sources. Without doing so, different functions may be looking at different tools for the same information – there’s widespread disagreement that leads to ‘paralysis through analysis’. This means you need a single source of truth ‘that everyone can more or less trust’. While it may be impossible to have a golden source of light, it is at least possible to get all the relevant stakeholders on the same page when it comes to the underlying data of reporting and measurement.
Bottom line . . . automation
What links these three trends?
How can organisations get better visibility into their assets and controls? How can they save on time and resources? How can they get better trust in their security data?
The answer, as with many things, is easier said than done. Automation.
Progressive organisations are looking to automate security measurement with technology like Continuous Controls Monitoring. Companies like Goldman Sachs, Cisco and Schroders have been embracing the trend by improving their CCM capabilities to enhance security measurement. Similarly, PwC’s new offering provides similar automated security risk measurement for their customers.
The importance of automation comes in two key points. The first is consistency and accuracy, giving users confidence in the validity of the result, meaning the data isn’t in question.
The second is reducing operational cost. Security functions always need to be thinking about reducing costs and maximising productivity. Automating the processes around not just controls coverage metrics, but all security measurement, allows you to scale and reduce the cost of operations. You can take all the manual effort out, reducing hands in the process, and reducing required resource.
As automation becomes more standard, security measurement programmes will continue to grow in maturity.
At Panaseer we have been pioneering the category of Continuous Controls Monitoring for some years, a category that targets these three trends and aims to help organisations in maturing along those lines. While I’ve looked at these trends as challenges to overcome, we can look on the bright side: the appetite and uptake of automated security measurement is on the rise in 2021.