“It just seems so useless to have to work so hard and nothin’ ever really seems to come from it.” Tom Petty
Earlier this year the Financial Conduct Authority reported that the number of cyber attacks against financial services companies had risen by more than 80% in the last year. So, why are attacks up when most of the financial sector has been working hard and spending lots of money on cyber security? Yes, the threats are greater, and our environments are more complex. But maybe we’ve been spending the money on the wrong things. Surprisingly, maybe the best place to start is with the basics.
Financial services organisations still find it difficult to demonstrate strong control over their enterprise cyber hygiene and thus effectively remediating cyber security risks. This is because the bigger the company, the more challenging it is to maintain these ‘basics’, such as identifying their IT assets, updating software, patching it, operating standard controls and educating the users. However, given that addressing this issue of enterprise cyber hygiene could stop the majority of all threats, it needs to continue to be a key focus for financial services security teams around the globe.
Back to the basics
Why is it that industry has been trying to solve the basics of security for literally decades? They are still dealing with too much access, code vulnerabilities, system patching, etc. And it’s not like they haven’t been trying. In fact many of them have been trying so hard, to no avail. It’s so easy today to get caught up in the latest threat, the latest article the Board flags and play the whack-a-mole game in security. Not only is this inefficient, but it takes their eyes off the real problem – enterprise cyber hygiene.
Additionally, they seem to have more and more people wanting to challenge, audit, or review their cyber security posture, especially those in the financial sector. Does having audit, regulators, 2nd line of defense, vendors and partners constantly testing their security interfere with normal operations?
Every day there are new and advanced security tools hitting the market, which are designed to help solve the problem; but then why are the numbers of breaches continuing to rise? No one can give up and say it’s just a battle that cannot be won. Yes, it’s natural to be attracted to new shinny balls…the super technical security risks. And yes, these risks are real, but does focusing on them really provide the best ROI for security? Ultimately most problems are arising from bad actors taking advantage of very basic flaws in the security ecosystem.
This article will focus on how those who work in financial services security teams can approach solving the basics of security. Let’s start with a question – how much time do you and your team spend gathering data to make decisions, reporting to superiors and the board, and figuring out where a project is terms of risk reduction? Without doubt, most will spend an inordinate amount of time manually gathering data that commonly has errors.
Everyone seems to have more than enough tools to identify security risks, in fact, probably too many. What you’ll likely not have is:
- Processes to bring all security risk information together and the ability to enrich the data so you know who owns it and which risk is most important to resolve,
- Trust in the completeness and accuracy of the data from both your perspective and your peers in IT and the business,
- Automated processes to let you do this over and over again so you always know where you stand
The right data at the right time
When I worked as a CISO I found that we had no shortage of security information coming from the plethora of security and network tools in place. But what I needed was the right information to make security risk decisions on a timely basis. To accomplish this, I needed to join all the data from all the disparate security and other tools into one place and into one framework to enable me to understand the company risk posture and make the appropriate decisions on what to fix and what not to fix.
In order to make the best decisions on remediation and to actually affect the changes needed to improve a company’s risk posture, you need too:
- Enrich your data with information about ownership, geography, business unit, management hierarchy, business criticality, etc.
- Facilitate exploring and investigating anomalies from multiple perspectives
- Unify/normalise the data so that there is a consistent definition of each device, risk, entity
Trust the data
Before beginning conversations with anyone (within security or elsewhere in the company) about security remediation, the discussion always seems to start with the quality of the data. This is especially true in the security realm, where it’s much easier to talk about how the data is wrong than how to solve the security problem.
>See also: Cyber security is a ‘people problem’
Most security teams have presented data to the Board of Directors, only to find out later that data was missing a key part of the company or otherwise not accurate. It’s tough to regain that trust at that level once lost. Also, many of those who perform the actual remediation of security risks (e.g., IT and Application Development teams) tend to only focus on the quality of the data until the security teams can prove their data is accurate and relevant. So it’s critical to build controls into the gathering, consolidation, enrichment and presentation of security-related data. You must have accurate and timely data to be relevant to the business and leadership.
Need for automation
And while last, this may be the most important factor to addressing the issue of enterprise cyber hygiene. Trying to do this manually (especially every month or more frequently) is too expensive, too inaccurate and prone to errors, and from what I experienced, too slow to be relevant. Security teams have neither the funding nor the staffing to keep trying to do this manually.
Why is it that industry has developed endless tools to identify all the problems in security, but so little to manage the rest of the processes? Where is the automation to help security teams identify the security efforts that provide the greatest ROI? Where is the automation to help them have complete and accurate data at their fingertips all the time? And where is the automation that allows them to measure their progress continuously? Point solution after point solution may reduce risks, but they will not reduce the overall company security risk posture. Automation is required to solve these basics of security.
Being one of the more regulated industries we deal with, the financial sector also seems to carry the highest burden of expectation. Having the right information, in the right format at the right time, aligned to a security framework, will go a long way towards demonstrated sufficient controls over the security landscape. It’s time that the basics became the new shiny sexy initiative – with refined and strategic enterprise cyber hygiene; you really can improve your cyber risk posture, and sustain those results.
Sourced by Jim Doggett, US SVP and CISO, Panaseer