New feature: Controls Compliance Center
Let’s talk about one of our new platform features: the Controls Compliance Center. While it’s currently in closed beta, we’re really excited about it, so we wanted to give a taster.
The Controls Compliance Center gives users a summarized view of control coverage across their organization. It shows the effectiveness of security controls in the context of applications, people, and devices. This helps organizations to more effectively prioritize which security problems to fix first and identify who is accountable for it.
What do we mean by “controls compliance”? Within the Panaseer platform, controls are checked against thresholds. Controls compliance is essentially asking whether a control is within the expected threshold. The Controls Compliance Center is the place to go see if your controls are working as you would expect, “complying” with your thresholds, or if they have failed.
Why did we build the Controls Compliance Center?
There are a number of challenges our customers are facing that we wanted to help with.
Many dashboards are too complex for a non-technical audience. One of the key functions of the CISO, and the security function in general, is to explain the state of the organization’s cybersecurity to the wider business. This can be difficult because the wider business doesn’t know that much about cybersecurity beyond phishing, passwords, and authentication. The CISO has to explain the reality of the situation, and the board has to be educated so they can understand it. That often means you need to create a simplified picture of your cybersecurity program and how effective it is.
But, unfortunately, it’s difficult to get a straightforward and digestible overview of the performance of your cybersecurity controls. Whether that’s to be shared with the wider business, or for your team’s internal use. The wider business gets a high-level view and the internal security team can get into the details for an operational purpose – real data insight that is genuinely actionable.
It is a huge undertaking to bring together information from all your security, business, and IT tools into one place, then sort through that data, make sense of it, and present it in a compelling way.
Once you have the information that shows you the effectiveness of security controls across the business, what do you do with it? You want to use it to figure out what to fix, and crucially, who is responsible for fixing it. Unfortunately, it’s also notoriously difficult to identify relevant owners and hold them accountable for remediation.
What does the Controls Compliance Center do?
The Panaseer platform uses a data science technique called entity resolution to combine data from across your security, IT, and business tools, providing validated enterprise-wide data truth. The Controls Compliance Center presents data on control compliance and control failures in a digestible format. It can be presented to both non-technical stakeholders, such as the board or business application leaders, and technical security team members, such as analysts, thanks to the ability to drill down into the underlying data. It provides a map of your security controls across your business, which helps drive prioritized remediation and accountability.
The Red Amber Green (RAG) scorecard system provides at-a-glance indicators for the organization’s control compliance. The thresholds can be configured to your organizational needs, but the example uses these:
RED | High-risk Assets with over 50% control failures
AMBER | Mid risk – Assets between 30% – 50% control failures
GREEN | Low risk – Assets with less than 30% control failures
The CCC provides three views: applications, people, and devices.
Applications
This tab gives a summary of apps and their controls status, with a RAG indicator highlighting the most risky. The table below lists all the applications, which can be sorted in a few different ways. You can drill down into each application to explore greater detail about the control failures relating to it. From there you can take action to fix those control failures and thereby reduce the risk to those applications. It can be valuable for multiple stakeholders; an application owner can quickly understand what’s going on in relation to the app they own and a senior leader can see which app needs more focus.
People
The RAG indicator across the top highlights which people own devices that have the highest control failure rate. This can be switched from “owned devices” to “assignee of”, meaning the list shows people who are assigned to the device, or “managed devices”, meaning the list shows people who manage the device. This view can help you to drive accountable ownership. You can easily see who is responsible or accountable for fixing the control failures. As above, this can be valuable for multiple stakeholders; a single person can quickly see an overview of their device control failures, and a leader can see which people need help to bring security up to par.
Devices
The device view matrix is the main “map” of controls compliance. It helps users identify which controls need remediating in different areas of the business, helping them prioritize more effectively. You can analyze by business unit, device type, or region, which can also help to focus remediation. This is where the insight really shines through. Simply investigate anything in red, and easily create a remediation objective to fix it.
The final word
Panaseer’s Controls Compliance Center aims to provide an at-a-glance view of security controls across your organization. It can help you answer key questions about fixing gaps in your security controls. Are controls working as expected? Which business units need attention? Which applications/people/devices are responsible for the most control failures? What should I fix first? Who is accountable for remediation?
Answering these questions and others like it will help you to take the next best actions to improve your organization’s cybersecurity.