Friday, March 29, 2024 | Ramadan 18, 1445 H
clear sky
weather
OMAN
25°C / 25°C
EDITOR IN CHIEF- ABDULLAH BIN SALIM AL SHUEILI

Cybersecurity questions every CISO should be ready to answer

1171758
1171758
minus
plus

Point of View -


Kevin Flynn -


IT infrastructure often grows up with a company. New tools, applications, systems, and user profiles are bolted onto the greater whole as the need for them emerges, usually without being given much strategic consideration. Organisational silos spring up around these additions as teams discover that each new tool requires new skills to deploy and maintain. Before long, the entire operation can resemble a ramshackle old house onto which each generation of homeowner has attached a new room.


Threats lurk in the dark corners. Unforeseen vulnerabilities, aging tech, distributed data centres, network sprawl, greedy insiders, and gullible users thrive. With the components of enterprise IT infrastructure scattered and compartmentalized, it’s difficult for any one person or team to achieve holistic visibility into the entire network.


Lack of visibility makes it difficult to find these siloed threat vectors, and even tougher to address them once they are found. That’s because, in most cases, the tools and tactics available are only designed to tackle specific and unintegrated areas of concern. We often see security tools being deployed scattershot throughout the organisation. We see teams in operations, applications security, DevOps, network security, machine learning, high performance computing teams, Security Operations Centre (SOC), and auditing and compliance all pursuing and deploying their own discrete tools. And there is no shortage of security tools.


While these issues are nothing new, addressing them has never been more urgent as the attack surface continues to expand. In our work with IT and cybersecurity professionals, we often hear about the challenges of protecting all the isolated apps — and the distributed computing and storage platforms — in use throughout the enterprise. Operational technology (OT) and Internet of things (IoT) devices introduce their own sets of problems, since these Internet-connected solutions are often deployed outside the auspices of the IT organization.


In most cases, organisations end up integrating apps through APIs and putting a multitude of clouds under a single management platform purview in order to manage the lot of them at once. But even this approach is only a stopgap. It’s no substitute for a holistic cybersecurity strategy which emphasises visibility across the network and applies granular insights about the threats that may be lurking among them, so organisations can effectively prioritise responses. We call this approach Cyber Exposure.


Cyber Exposure is an emerging discipline for managing and measuring cybersecurity risk in the digital era. Cyber Exposure transforms security from static and siloed visibility to dynamic and holistic visibility across the modern attack surface. It’s the foundation upon which to build a cybersecurity strategy that accommodates the entirety of the modern attack surface.


Building a holistic cybersecurity strategy using the discipline of Cyber Exposure enables you to answer each of these four questions about your organization at any point in time:


How secure — and exposed — are we?


Answering this question requires visibility into all aspects of the organisation’s attack surface — including cloud resources, containers, industrial control systems, and mobile devices, which may or may not be on the radar of IT. It involves taking inventory of where specific threats to your company exist. For example, if your organisation is particularly diligent about deploying patches, then the latest Windows vulnerability may not be as big a concern as it would be for an enterprise that hasn’t patched its systems in seven years. By coming to terms with where your exposures are — or where they are likely to be — you reveal the larger picture of what’s at risk.


What should we prioritise?


The answers to this question should be based on a combination of threat intelligence to understand the exploitability of the issue and asset criticality to understand the business context of the asset. Effective prioritisation of vulnerabilities needs to take in the business context in order to optimise your efforts, resources, and budget.


It enables you to zero in on protecting the vulnerable areas likely to cost your organisation the most in terms of labour, penalties, time, recovery, and reputation. It also helps reduce alert fatigue, as you can then prioritise how your team responds to vulnerabilities based on how critical the affected assets are to your business and the likelihood a given vulnerability will be exploited.


How are we reducing exposure over time?


Your ability to answer this question is a measure of your progress. You’ll need to identify the metrics and KPIs against which you’ll measure your efforts. Such metrics should be viewable by business unit, geography and asset type. The goal is to understand how your exposure profile is changing month to month, quarter to quarter, and year to year, so you can help your business-side colleagues and the c-suite understand whether the company’s investments in cybersecurity are paying off.


How do we compare to our peers?


Answering this question forces you out of your company’s internal bubble to help you understand how your cybersecurity practices stack up against those of others in your field, as well as those in other industries. How your organisation ranks against industry peers, and against best-in-class security, is an important dialogue for every Board of Directors to have to drive a more strategic discussion and help ensure the board is upholding their fiduciary responsibility in providing the proper risk oversight for the company. Cyber risk is no different than other business risks and should be managed and measured the same way.


Your ability to accurately answer these four questions is vital to understanding the total risk exposure and the effectiveness of your cybersecurity measures. But if you’re dealing with a heavily compartmentalized IT infrastructure, it may seem daunting to know where to even start moving toward a more holistic strategy. (Kevin Flynn - Senior Manager, Product Marketing, Tenable)


SHARE ARTICLE
arrow up
home icon