An update from our CEO, Jonathan Gill

Themes from our customers

We are delighted when we see themes emerge from our customers showing the exact value Panaseer is designed to deliver.

Whilst we deliver a technology solution, one of the key benefits is the human collaboration and efficiency that gets the most from your team, as well as your tools.

One of our favorite trends of the year is two well-deserved promotions of two of our customer executives – congratulations again!

Below is a sampling of feedback and anecdotes customers have shared about their success.

CAB conversations

This year we held two customer advisory board meetings – one in New York and one in London. Thanks to all who participated in these sessions. They were incredibly informative and valuable, and insights gained during those sessions have led to many ongoing initiatives.

Major themes that came out of those customer conversations are as follows:

• Panaseer is the single source of truth for continuous, objective, and quantifiable control data.
• Some provided access to CCM metrics reporting for non-CISO oversight functions (often called 2nd line) and internal audit (often called 3rd line). All agreed that it helps to be audit-ready and demonstrate control assurance.
• CCM helps to support evolving regulatory, standards, and framework environments (especially in financial services) and the increasing demand for continuous governance in your cybersecurity controls monitoring.
• Rather than a ‘big bang’ approach, CCM can be leveraged to "nudge" improvements in effectiveness & efficiency, particularly when collaborating with 1st line teams.

Product updates 

Cybersecurity controls scorecard

Now on our ninth iteration in seven months, the Cybersecurity Controls Scorecard continues to incorporate rapid updates and improvements based on your feedback.

In the second half of this year, we released a substantial update to Scorecards called “Top Analysis”. This capability highlights areas requiring attention in the enterprise cyber posture with new insights (e.g. metrics close to failing/passing, metrics with the largest gains/losses).

Additional incremental releases were also deployed to facilitate enhanced navigation and usability. Further enhancements will be added early next year, with weighting of score calculations planned for January, and support for multiple Scorecards planned for February.

Do you have suggestions for additional improvement or other feedback? Please contact your Customer Success Manager.

Compound risk metrics

We believe this will be one of our most compelling product updates so far. The compound risk metrics capability can highlight multiple, toxic combinations of control failures commonly associated with high-risk attack scenarios.

These are traditionally challenging to detect, especially when those failures cross the boundaries between asset types and relationships, making the toxic combinations invisible to traditional cyber tooling. For example, it is now possible to report on devices missing EDR protection, that have critical vulnerabilities, and are owned by a person who has failed phishing tests.

Compound risk reporting is especially relevant to align threat-driven risk profiles with crown jewels assets, in order to mitigate against Advance Persistent Threats (APT) exploiting toxic combinations of control failures.

As teams cannot keep up with the number of vulnerabilities and see other controls drift from their intended state, compound risk will further help ‘make big problems smaller’ by helping with data-driven prioritization across multiple inventories and control domains.

We are already starting to see value for our customers in this area. Below are a few examples:

1. Reporting on servers not hosting applications: identifying servers that are no longer required/Shadow IT to reduce attack surface area.
2. Devices hosting critical business applications that are missing key controls (e.g. vulnerability scanner, EDR agents, patch tool).
3. Identifying vulnerabilities that need to be prioritized as part of an ‘emergency patching cycle’, such as devices with critical vulns that do not have mitigating controls (e.g. Cisco secure endpoint).

Additional iterative improvements

Self-service data ingest
With self-service data ingest, we are taking our first steps on the journey to self-service connector management and data ingest.

Secure data collector
A new, secure option for retrieving data on-premise.

Data-level access restriction 
Policy-based controls over access at the data level provide more control over distributing dashboards and metrics across the enterprise.

NIST CSF 2.0 support 
We recently completed an update to support the most recent major revision of NIST CSF 2.0 as it continues to be one of the most important frameworks for our customers.

Company and market updates

Company update

As we close our tenth year, I would like to thank all our customers, both early adopters and new, for your partnership and trust. We have made great progress throughout this period, and yet, in some ways, it feels as though we are just getting started.

With the overwhelmingly positive response to the Cybersecurity Controls Scorecard, the release of our tenth cyber controls domain (infrastructure configuration), our plans for additional domains and frameworks on the horizon, and the rapidity with which we continue to innovate and expand, the best is yet to come.

I am pleased to welcome two new faces to our leadership team:

Oli Newbury has joined as our Board CISO.  As the former Global CISO of Barclays, Oli brings a pragmatic “voice of customer” and security-forward perspective to our board, helping to inform our direction with a very recent view from the inside.

Lisa Parcella has joined as our VP of Marketing having worked in marketing leadership for over 15 years and in cybersecurity for 12 years. Lisa is eager to dive into the work of telling the Panaseer story boldly, capitalizing on all the amazing achievements of this past year, and creating a scalable flywheel to serve our entire customer lifecycle - both attracting new customers and continuing to delight and celebrate all our existing ones. You can see some recent work around our updated messaging, branding, and storytelling on our website and in this Scorecard series on Youtube.

In addition to bolstering our marketing efforts, we have also kicked off a partner program focused on aligning with cybersecurity advisory firms on joint activities. For customers considering large transformation initiatives, please contact us to align with recommended partners. We have also begun working with MSPs on joint offers for those who wish to outsource the management of Panaseer.

Market

We work with a global set of customers across multiple industries, yet there are many common themes that persist regardless of industry or country. Increased scrutiny and pressure continue to plague our CISOs both internally and externally, adding to their already complex day-to-day. Yet, cybersecurity in many boardrooms falls short of being considered a strategic leadership issue. Increasingly, cyber resilience is a strategic leadership objective that organizations must embrace. We want to help.

Increased liability for CISOs

As the United States Securities and Exchange Commission (SEC) continues to increase legal liability on CISOs, many are re-examining how they collect, trust, and report on data to stay out of the legal spotlight. In Panaseer’s own Security Leaders Peer Report (SLPR), we surveyed over 400 security leaders across various industries and found:

15% have considered leaving the industry.

41% are feeling more anxious about their decision-making.

28% feel that personal liability for breaches is unfair.

23% expressed anger at the situation.

You can read more in our coverage from Infosecurity Magazine, but we are seeing this trend play out in real-time. New customers are engaging Panaseer as a trusted third-party alternative to a DIY solution to help them achieve data transparency they can trust, automated data handoffs that take the human error out of data sharing and interpretation, and direct line-of-sight through their data lineage processes.

By working together, we protect the CISO from such personal liability and offer a solution that allows them to execute their role with confidence and peace of mind.

After all, it’s ‘business risk’ and not ‘CISO risk’ and we help CISOs hold business leaders accountable for their business risk decisions.

Navigating the challenges of an expanded risk landscape

An additional vector of concern for the CISO is an expanded risk landscape. As I discussed in a recent article on Forbes, the CISOs I meet are translators and arbiters of risk and are being elevated to a strategically critical role in the business, so must be able to trust the data to make the most informed decisions for the enterprise. However, the CISO is beset with a trilemma – business, technology, and human challenges.

For Panaseer, a solution to overcoming these three concerns is the sole source of truth through which the business can build an accurate risk position. The entire technology landscape can be identified, presented, and understood, and individual stakeholders at the control level can work together and upstream to remain accountable for necessary changes. A golden source of information enables a win-win approach, where everybody in the business has the information and understanding needed to drive the organization forward, with complete trust in their colleagues and their overall risk posture.

The need for cyber resilience

I was fortunate enough recently to work with members of the World Economic Forum, the University of Oxford, and some of the industry’s brightest security leaders on a whitepaper around the strategic need for cyber resilience. While I will not recreate the research here, I did want to highlight a few key takeaways:

• Cyber resilience must be elevated as a key strategic initiative at the leadership level to protect the core of the business and ensure long-term viability and growth – the technology and threat landscape continues to expand, and we cannot expect to protect everything but MUST protect what is most critical to business continuity.
• Cyber resilience is not just a nice-to-have. As cited by the whitepaper, “by some estimates, more resilient companies generate shareholder returns that are around 50% higher than those of their less resilient peers” indicating the fiscal health of a business is directly tied to its cyber resilience.
• Cyber resilience is a strategic initiative aimed at elevating the role of cybersecurity to as strategic a pillar as finance or legal and requires commitment from the top to shift the entire posture of an organization to adopt rigor around cybersecurity at all levels.

In closing

To all our customers, seasoned and new, I thank you for another fantastic year together. Our collective work is a shining example of the resilience of cybersecurity professionals in the face of ever-growing complexity. The challenges will continue to mount and change, but together we will innovate, anticipate, and persevere. I am excited for the year ahead. Thank you for being on this journey with us.