Have you ever questioned the effectiveness of your cybersecurity program? How would you know for instance, that your principal IT initiatives for 2023 are successful (and to which level) as far as information security goes?
Every large and complex system has its checks and balances. The most known example is from the US constitution, where the term “checks and balances” refers to splitting powers between the three government entities — executive, legislative, and judicial.
In the business world, we use a “balance” sheet, to check the viability of the business and identify areas of success as well as concern. The balance sheet allows drilling down into operations, sales & marketing, research and development, and essentially any business arm to understand their performance and fix any gaps or issues if found.
Information networks today, especially in large enterprises, are definitely complex systems. The number of software products that are in use, the amorphic and dynamic architecture, the frequent changes, and the nature of their human operators make it nearly impossible to gain control.
If sales and marketing have numeric targets, how do we set, assess, and track KPIs for cybersecurity (other than “let’s not make headlines for the wrong reason”)?
3 Ways Checks and Balances Conceptually Apply to Cybersecurity:
1. The need to balance between powers
One might go – ‘wait, isn’t the CISO in charge?!”
Well formally yes, but in many cases, the cybersecurity program is subject to influence that has a lot of merits but little with cybersecurity. For instance, business productivity will always come first, and therefore the pressure coming from DevOps to faster release cycles despite a looser application of cybersecurity policies.
The business requirements (for example revenue generation at an eCommerce site) will take precedence over a security solution that would ideally look for fraudulent or malicious behavior in each and every user transaction.
Throwing into the mix that most executives and board members do not speak the cybersecurity language, budgets and staffing decisions are subject to internal pressures, politics, and assumptions, rather than relying on hard-coded facts about the actual performance and exposure of that particular organization.
2. The need for a baseline
Just as in a balance sheet, a snapshot in time that provides extensive visibility facilitates a situational analysis and setting goals and milestones for the future. It surfaces problems that allow addressing them quickly.
The balance sheet is accepted by everyone as a single source of truth for the business, and there comes the question of how we create a “balance sheet” for cybersecurity. This balance sheet, or the baseline, must be extensive and include factual information about the security posture of that very organization.
What kind of information?
Information about exposed assets, exploitable vulnerabilities, gaps in security controls’ performance, misconfigurations, infiltration routes, glimpses in policy enforcement, undetected threats, and even time to respond and mitigate.
All this information is instrumental for a data-driven discussion between the different teams – business, IT, DevOps, and security – to reach an agreement, prioritize, and rationalize decision-making – whether applies to people, processes, or technologies.
3. The need for visibility -> certainty -> control
Since the information network is amorphic and constantly changing, the job of cybersecurity professionals is mostly fighting entropy. Any day a developer can upload some code to GitHub, a marketer can select a new automation tool that uses customer data, and any employee that works from home can open a door for whichever trouble waiting to make its way in.
This security drift isn’t only a first-party risk. In most cases, it is caused by third-party software providers, and these breaches are piling up by the week.
No wonder then, that security leaders – and business leaders – are never sure about “How well are we secured right now.”
If they would get to see an end-to-end snapshot of their cybersecurity posture, they would get certainty. Once there’s a certainty, they can plan ahead in order to get back on the saddle and control that horse.
Enterprises monitor the revenue sales are generating, the savings of the finance department, and the quality of product engineering. They check and balance. Need to do the same with cybersecurity. It begins with getting evidence. Fact-based discussions simplify communication, increase collaboration, and boost productivity
Learn how Cymulate can get you the evidence you need.