Op-Ed: The path to cyber operationalisation and consolidation

But simply throwing cash around ultimately won’t make a difference in security standing. Solutions must be properly implemented to truly help solve the problem.

Operationalising cyber security means implementing best practices and applying the same rigour to security as you would for any other element of the business.

Link cyber security to corporate strategy with clear outcomes

Often, cyber security programs focus too much on responding to the latest threats and market trends, and investment can be fragmented with no target in mind. Rather, there must be a solid understanding of what you’re trying to protect with each security element budgeted for, and why. The first step toward operationalising cyber security is to think of it just like any other business investment, linking it to the broader corporate strategy and having clear metrics for success and measuring performance.

While it’s impossible to predict the future, common hallmarks of an attack begin to appear in terms of what type of business you are, including your size and what industry you operate in. Identify what business functions would be most impacted by a breach and the effect such an incident may have on business operations. From here, you can begin to work backward and construct a security strategy geared around mitigating high-priority risks. Furthermore, tying your program to business outcomes helps bring your internal stakeholders along the journey, building a cyber culture everyone buys into.

Nurture a security-conscious culture

Culture is often at the top of most lists for improving security posture, but even if you have all the right tools, you can still come unstuck when people get involved. However, your processes are the critical enablers of operationalising security and robust, tracked accountabilities are the means to make tangible improvements. One way to think about cultural improvements is by measuring the maturity of teams and personas within your organisation. For example, you can be more mature in the application of cyber risk in one area than in another. Or perhaps you have established successful automation but lack accountability.

A useful approach here is to establish the various personas with a stake in security and create a cultural scorecard for each. Important stakeholders such as the executive leadership should have a higher maturity level, while it’s not as important for the more general workforce. If it’s apparent that a department is below the level of maturity and accountability needed, implementing measures such as training can bring forth improvement.

VIEW ALL

Measure performance

Many organisations continue to pump money into new technology solutions without a clear idea of whether their security posture has improved. Indeed, most lack the means to gauge whether their investments are showing any returns at all. Measurement is a vital part of operationalising security, and the metrics to achieve this need to be focused on reducing risk. Security-related key performance indicators (KPIs) should be firmly tied to business impact in a way that non-technical leadership and stakeholders can relate.

Measuring the ability to identify, protect, detect, respond, and recover from cyber security risks and threats enables a robust operating model. Consider analysing the following areas: phishing rate, the number of security breaches, mean time to detect, patching cadence, and mean time to resolve.

Integrate and automate

There’s too much noise out in the open to deal with everything manually in a fully operationalised security strategy. Consider implementing automation in vulnerability management processes internally and externally to the business. Additionally, detect intrusion attempts and malicious actions that try to breach your networks. And finally, automate patch management actions on all assets within scope by assessing the number of patches deployed per month based on the environment, i.e., cloud.

Optimise and consolidate

We’ve seen how implementing best practices and measuring performance are the bedrock of operationalised security. It’s hard to do this effectively if you have disparate, disconnected systems. It’s onerous at best and impossible at worst. This is when consolidating your security solutions can have a huge benefit. Using your strategy, documented processes, and performance data, you can build a model that provides a “costed” (if possible) business case as to how consolidation will not only maintain cyber security standards but also benefit the bottom line and make the overall management of solutions easier.

The chances are you’ll have any number of security solutions and vendors as part of your overall cyber portfolio, which in many large enterprises sits anywhere between 50 and 100 solutions. So, how do you consolidate without losing functionality, data, or cyber posture? While every organisation will have their own set of criteria as to what they need, there are some core considerations:

• Consolidation only works if you can trust and work with a cyber vendor who has a whole raft of great solutions, i.e., they are recognised by peers and analysts. At a very minimum, that should include vulnerability management, application security, detection and response, external threat intelligence, orchestration, and automation.
• Does the vendor simply sell solutions, or are they wholly invested in the cyber community? For example, do they undertake specific research that considers the raft of vulnerabilities and exploits out in the wild? More so, is that information shared and reviewed by the wider community? It’s this type of additional information that helps you understand just how invested an organisation is in both its customers and the industry as a whole.
• What kind of partner ecosystem exists? It’s highly unlikely you’re going to use one, single vendor across all your cyber solutions; thus, ease of integration needs to be factored into your thinking.

As you build awareness of your cyber risk priorities, you should also become familiar with your maturity levels. This isn’t a single measurement, but rather applies to each of those core foundations – culture, accountability, processes, resources, automation, and measurement.

Rather than simply increasing budgets, take a step back and begin operationalising security and consolidating tools. By tracing cyber security’s connections to core business foundations, embedding best practices, measuring performance, and consolidating solutions around strategic needs, you can ensure your investments deliver real results in reducing risk exposure and protecting your business.

Robin Long is the field CTO for the Asia-Pacific region at Rapid7.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.