Visibility into an organization’s Security Operations has never been more important. Historically this has involved the basic reporting of cybersecurity metrics (ideally some form of Key Performance Indicators or "KPI") to upper management using data-dense dashboards; e.g., vulnerabilities and patch compliance, incidents and closure rates, time-to-detect, time-to-respond, time-to-remediation, etc. For new Security Operations teams, this is often little more than a summary of the tactical level reports and visualizations that Tier 1 and 2 Analysts use in the Detection process. However, repeatedly, feedback from the C-suite and boards suggests that this is increasingly insufficient.
This quote from a TechTarget article by Andrew Briney captures the challenge well: “The good news is that security has plenty of information: reams of firewall logs, IDS events and policy exceptions. The bad news is that none of it is organized or presented in a way that lends itself to business intelligence.”
In recent years, there has also been an emerging trend toward reporting cyber Threat information to senior leadership. While useful in justifying investments in cybersecurity capabilities, such Threat pictures do not address what should be senior leaders’ primary concern – actual Risk to the business. Even combining the potential Threats with your current system/network Vulnerabilities is, at best, incomplete.
C-teams, boards, and other business leaders will most benefit from Key Risk Indicators or KRI.
Comprehension of Risk requires a real-time, dynamic understanding of the Consequences to the organization, not simply the Threats and Vulnerabilities inherent in one’s dependencies on cyberspace. Effective enterprise-level reporting capabilities for Security Operations will address this full range of demands for visibility.
Of course, ever-increasing demands for Accountability are pressuring organizations to demonstrate adherence to SLAs for their constituents, to track and report Compliance with specific policies and regulations by their industries and regional governments, and to generally demonstrate appropriate levels of “due diligence” and “due care” in their IT Governance commensurate with their responsibility to protect information. Historically, this capability has been broadly referred to as Governance, Risk, and Compliance (GRC). GRC is a mature market, with a range of very mature solutions available. But most do not incorporate comprehensive, real-time cyber risk intelligence into their enterprise dashboards.
Which leaves most organizations opting to develop their own (Cyber Risk) Enterprise Reporting capability using either open source or commercial Business Intelligence (BI) offerings. Not a bad choice, but it does demand a commitment of resources to both establish and maintain.
What’s most important is to keep the objective in mind. We are trying to bring meaningful, actionable, context to executive decision makers to support their roles as stewards of the company’s critical information. Context is Everything.