From Zero to Hype Cycle: Our journey creating the Continuous Controls Monitoring category
July 21, 2020
It’s an exciting time for all of us at Panaseer – Gartner has officially recognised Continuous Controls Monitoring (CCM) as a Risk Management product category!
This is the first time CCM has appeared in a Hype Cycle or as a category, and I’m thrilled that Panaseer is listed as an inaugural vendor. I feel a huge wave of gratitude for all of those who have helped us along the way.
This journey has taken us six years and I couldn’t be prouder of my team for building a company with meaningful values, a leading product, and establishing a category that is now recognised by a leading analyst company such as Gartner who rate the benefits of CCM technology as high.
The idea: Cyber security defence
I founded Panaseer for a couple of reasons. The first was nothing to do with cybersecurity. I had some ideas about how we could build a company where people really enjoyed their work, felt a sense of mission and could learn about staying well and becoming leaders. I wanted to build a high performing company with a compassionate culture.
Secondly, I realised that as consumers, our lives are increasingly dependent on enterprise services. Our well-being more than ever relies on banks, energy companies, transport and logistics providers, medical companies, technology companies and more.
To protect our wellbeing, I realised we needed to protect those services and our data within those companies. We need to be assured that those services are going to be up and running and working for us when we need them.
But what worried me was that, despite the increasing billions of dollars invested in cyber-security, the frequency and cost of cyber incidents were increasing. Whatever the industry was doing, it wasn’t working sufficiently to solve the cyber problem.
I thought I could see the reason why. I thought I could see the hole in the cybersecurity defences in the companies we rely on, and I believed I could fill the hole using the latest technology: this was how the idea for Continuous Controls Monitoring, and for Panaseer, was born.
The market issue: Cybersecurity risk assessments
Enterprises then and now, needed to secure their operations and their data in a complex operating environment. For security teams, it’s a real challenge to get clear visibility and understanding of all the technology assets, business services, cybersecurity technologies. And it’s even more of a challenge to understand whether it’s all working optimally, or whether there are holes attackers can exploit.
After all, they have hundreds of thousands of devices, tens of thousands of employees, thousands of applications, volumes of data that defy accurate nomenclature, and all of this distributed on different technology platforms, in different business lines, regions… no wonder security teams are hard-pressed to keep track of every detail.
Cybersecurity risk assessments were being done manually at a ‘point in time’, so they were often incomplete and inaccurate – and out of date by the time they were written. The way I saw it, it was like looking at the world through a strobe light, where once a year you get a flash and see what’s going on, and then it’s dark for 364 days before the next flash – you then made a bunch of assumptions about what had happened in between.
It’s expensive, laborious, but most importantly it’s just not adequate – like flying a jetliner without an instrument panel, and once during the journey, the pilot calls someone and asks what their altitude is! Processes like this were stifling mature security programmes. That wasn’t going to work in the world of cybersecurity any longer.
The irony was that enterprise companies had bought all the security technology; they’d spent a fortune playing whack-a-mole. They had all the data – authentication systems, end-point protection systems, phishing testing systems, patch management systems, vulnerability scanners – you name it, they had it. They couldn’t answer the question, ‘What is our security posture?’ but the answer was sitting there in their lap because they had bought all the tools which were generating all the data they needed.
The real problem was in joining that data together so it made sense.
And just imagine if they could? What if they could get 10% more value from all those investments? What if they could see where those defences weren’t switched on? Where they weren’t optimally configured? What if they could work out which things were the most important to protect and prioritise remediation work accordingly? What if they could metricise all of this and give it to the people who make decisions? And give it to the regulators and auditors, instead of running around with spreadsheets and slideshow templates?
What Panaseer did was develop a technology platform that automates that joining process, so the platform pulls data from 10, 20, 50 different vendor technologies or data sources in an enterprise, stitches it all together, and creates the most valuable security metrics over that data for different stakeholders.
Basically, it allows the company to understand ‘What have we got? Is it well defended? What do we need to do next to improve security?’ It’s sophisticated technology, but what it does is simple really – visibility, measurement and remediation for cybersecurity risk.
To find out more about how Panaseer helps security teams with automated cybersecurity risk assessments click here.
Creating a category: CCM
What we were doing was new, so we had to start building market awareness from scratch. The category name we chose to promote was ‘Continuous Controls Monitoring’ (CCM). We were lucky as there are some amazing advocates of CCM in the industry – Phil Venables, Christian Adam, Dave Ritenour, Rob Hyde, Pete Taylor, Nick Godfrey to name a few.
All the breaches you read about normally have some kind of control failure – the firewall wasn’t well configured, a vulnerability hadn’t been patched, the endpoint detection system wasn’t switched on, the phishing test failed, the WAF wasn’t configured, the user had too many permissions, etc. Simply put, it is often the case that the attacked company had bought the tool, but it wasn’t switched on or operating effectively.
In the world of CCM, those things are continuously and automatically measured and made visible.
That way, you can answer: ‘Do we understand all of our assets? Are all of the controls switched on and working on those assets? Where are the gaps? Which business line isn’t well protected? How well protected are our more critical services?’.
This level of automation means companies that have huge scale and complexity, and face a diversity of threats, automatically understand those measures on a day-to-day/week-to-week basis and understand where they need to prioritise effort. That way they can pinpoint where to invest their money, time, energy and technology to best protect themselves.
Importantly, as regulatory regimes get tougher, CCM can help GRC teams attest to their security posture to external auditors and regulators with data they know is complete and accurate. The phrase I hear is, ‘we’re confident to stand behind the data’.
Gartner on Continuous Controls Monitoring
I cannot count the number of briefings we have completed with industry analysts. Suffice to say, it’s been a long education process and I’ve torn through hundreds of slide decks trying to explain how important I believe this is. But perhaps that’s why today’s recognition now feels so validating. After all, good things come to those who wait – there hasn’t been a new security category in the Risk Management Hype Cycle since 2016.
Regarding the technology and process itself, Gartner’s analyst says that ‘the concept and technology supporting Continuous Controls Monitoring is mature, but end-user adoption is not yet pervasive.’
They note that many organisations lack the maturity in their operations functions to actually perform CCM assessments, which contributes to this level of adoption.
The core user audience of CCM, according to Gartner, are those who are in assurance functions. This falls largely to security teams for reporting on control status, IT teams for reporting on coverage, and risk teams for auditing and reporting on the results.
More on how we support IT teams with improving the visibility of their assets and defences can be found here.
The truth in my mind is that this ‘single version of the truth’ is for everyone – 1st, 2nd and 3rd line all benefit.
Overall, Gartner sees the pain experienced by these audiences as, ‘Regular testing and auditing of controls […] is usually burdensome to operational teams because there is a high level of manual interaction to transform data on the effectiveness of the controls from the source to the risk and compliance management tools.’
We see this time wasted, but also the challenge these teams have in both protecting the organisation and persuading external bodies that they’re doing the right thing.
The core CCM use case is ‘to automate the manual processes involved in data collection and identification of control exceptions and control failures.’ In turn, the application of CCM will help the organisation save time and cost of assurance.
The benefit also includes improved overall risk management through more continuous visibility of the organisation’s control effectiveness and compliance status.’
Gartner rates the benefits of CCM technology as ‘high’ and its maturity as a market as ‘emerging,’ reaching its peak in the next 5-10 years.
We are listed as a vendor alongside Deloitte, SAP, ServiceNow, as well as smaller risk assessment companies BAP and Resolver.
Integrating with frameworks
For most organisations, the easiest way to implement any new processes around security or risk is to start with a template, often in the form of frameworks issued by industry or regulatory bodies. At Panaseer, we recognised this from the outset.
We built control checks that correspond to commonly adopted frameworks, such as NIST, PCI and CIS.
This has proved useful for CCM and Gartner support that such frameworks are a great starting point for any organisation starting a CCM journey. Specifically, they call out a number of frameworks we already support out-of-the-box, including NIST, CSF and PCI, as well as ISO 27001, COBIT, and COSO.
We have also integrated our CCM platform with RSA Archer’s Integrated Risk Management (IRM) platform to provide automated continuous controls and risk monitoring and assurance.
Traditionally, IRM practices have relied on manual, human-driven approaches to self-assess and assure that controls are deployed and implemented correctly. With our integration with RSA Archer, IRM practices that require data to be collected and analysed can be automated with near real-time insights that are easily scalable.
Being a technology and data geek, perhaps the element of our technology I’m most proud of is how rich and insightful the output data is – the ability to see a device, its vulnerabilities, its owner, its applications, their vulnerabilities, the owner’s phish test results, and quantify this and compare it across legal entities, business lines, business areas, regions, countries… today and for any date in the past – that’s just cool.
Security metrics may sound boring, but for those in the know, this is a super-smart trick to pull off.
The future of Continuous Controls Monitoring
Now that Gartner has recognised Continuous Controls Monitoring, I expect to see the category become increasingly important and more widely recognised. We intend to continue to lead the category. And we won’t be resting on our laurels.
To lead the pack, we know we’ll need to continue to engage and educate the security market, whilst enhancing our platform capabilities to address current and emerging assurance audiences. We have an expansive vision which I won’t share here (I’ve learnt a thing or two about competitors over the years!), but you’ll see more as we build out the definition for CCM and our product roadmap.
At a high level, we’re committed to continued innovation and product development to cover more areas of cyber, introduce more automation, reach more stakeholder groups in the enterprise, and make sure we’re employing the best technology to achieve that aim.
Yes, I’m proud of this achievement. But ultimately, I am most proud of the fact that a group of people have built technology that is being used to protect millions of people around the world.
We’ve done that from our home in London in the UK, and from our team in New York in the US, beating world-leading technology companies along the way. And all of it was born out of a basement in Surrey.
This recognition is the icing on the cake. Thank you to everyone who has helped us on our journey so far, and all those who will help us in the future.
We couldn’t do it without you.