Your security team spends 36% of its time on reporting – here’s how to fix that

The risk of a security incident occurring can never be eliminated entirely.

Even if your security team employs the most competent staff, follows the proper processes and uses the right technology, if a threat actor really wants to spoil your day, they can probably find a way to do so.

Coupled with this, the scale, frequency and ingenuity of cyberattacks grow year-on-year. Hardly a month goes by without a major incident making headlines and who can say how many breaches go unreported.

Board members are, understandably, nervous and want to do all they can to protect their organisation from the financial, legal and reputational repercussions. As a result, CISOs are regularly hauled into board meetings to report on the threat landscape, vulnerabilities, new regulation and what they are doing to mitigate risk.

All of which, according to our research, is diverting precious time and effort away from the job at hand – securing the organisation and its data.

In fact, our survey found that 36% of security teams’ time is spent producing reports. To make matters worse, 70% of respondees said that the data gathering, formatting and reporting process was manual.

Clearly there are issues here that need to be addressed:

• How can security teams streamline the information gathering, merging and presenting process?
• How can CISOs make sure that the information presented will reassure rather than confuse or concern board members?

In this post, we’ll break these challenges down into a three-step action plan:

1. Break down the information silos between tools
2. Automate reporting processes
3. Choose the right metrics

Break down the information silos between tools

Ultimately, what the board wants is clarity. Sadly, for many security teams, this can be hard to achieve.

The threat landscape is in perpetual flux, as are the tools and solutions available to security teams. To deal with increasing threats, security teams invest in more tools. But these tools don’t always work together.

Breaking down these information silos and achieving interoperability is a huge challenge. Especially since, according to our survey, 55% of respondents said that they were running over 50 different tools, many of which have their own reporting norms.

A single source of trusted data with complete visibility of all assets and controls is the crucial first step. This will give your team a true indication of the organisation’s risk posture and provide an up-to-date inventory for vulnerability scanning and other forms of threat detection.

Automate reporting processes

Reporting involves extracting, moving, cleaning, merging, formatting and finally presenting data in such a way that it can be understood. As mentioned above, for 70% of staff in our survey, each step is completed manually.

Once you have visibility of your organisation’s assets and controls, aggregated in one monitoring tool, automation of reporting becomes much simpler. On top of this, the presentation of data and metrics chosen can become more consistent, as teams aren’t having to refer to many different tools’ reports in order to produce dashboard or reports. This also allows your team to focus on more valuable work and reduces the likelihood of human error in the reporting process.

Choose the right metrics

It’s worth remembering that while board members are likely to be experts in their fields, they may know little about cybersecurity. They almost certainly won’t be familiar with the dense, technical language that cybersecurity professionals use.

The National Association of Corporate Directors published a useful set of recommendations for board directors on cybersecurity. Buying a copy may help you understand your audience’s priorities and level of technical understanding. Alternatively, you can also read this summary of the key points.

Beyond this, there are a few other things to bear in mind when choosing which metrics to report on:

• Cybersecurity affects the entire business, so the information chosen needs to align with the business strategy and be relevant to the enterprise as a whole, not just IT. Board members aren’t there to fixate on technical issues, they want information that can help them make decisions that will impact the organisation’s future.
• The board will be interested in the financials, not only the return on cybersecurity investments but also the cost of any cybersecurity incidents and forecasts for both over the next 12 months.
• They will want to understand the legal, financial and reputational risks, as well as operational risks – within large organisations these things may need to be broken out by business unit as well.
• Finally, a formalised and consistent reporting format or dashboard will help board members familiarise themselves with the metrics you’re reporting on. It will also help them track the development and performance of trends or metrics over time.

How CCM can break down information silos and streamline reporting processes

Forrester Consulting recently found that the number of security tools is creating additional risk for organisations and additional work for security teams. They found that Continuous Controls Monitoring was an effective way to establish a unified view of all assets and controls and automate manual processes.

Download the full report for more information and advice on how you can overcome the challenges covered in this post. And feel free to get in touch on Twitter or LinkedIn if you have questions about anything mentioned in this piece.