Operationalising IT security reviews
Commissioning or undertaking a security review is a familiar process for most security managers, internal and external auditors, CISOs and risk owners. The growing responsibilities of directors for the effective management of IT risk almost guarantees that the audit process will become as routine as the monthly accounts.
In an environment where new technical vulnerabilities, and even cyber attacks, can happen literally overnight, there is always going to be a need to understand what gaps exist in your risk management controls and whether there are any resulting compliance issues that need to be addressed.
Traditionally there have been lots of different types of review, and almost as many different approaches in undertaking them. All have pros and cons, with different levels of effort and fidelity – depending on the intended audiences and purpose of the outputs. Two examples are below:
- Penetration tests are often very technical both in scope, activities and outputs – they do, however, give IT administrators or engineering teams a clear and extensive list of identified weaknesses and how to fix them.
- High-level policy gap analysis checks can establish whether adequate documentation is in place, that the relevant controls have been deployed based on risks and that evidence of their effective operational status is available.
The overwhelming limitation of security reviews is that they are point-in-time assessments. They are correct and valid on the day they were undertaken, but quickly become out of date; and that’s a problem where your risk environment can change overnight.
Lengthy periods of vulnerability to the latest exploits and infrequent risk assessments can unnecessarily prolong the time at risk from cyber attack. In a world where so much can change as a result of a simple click on the wrong link, an up-to-date review can quickly lead to the timely mitigation of the risk. Appropriate mitigation might be as simple as disabling features or accounts that were found to be missing patches, but unless you have complete visibility, your mitigation strategy cannot be adequate.
So, with the benefits established, the challenge is how often can you conduct a security review? What is the available budget and resource for the assessment? Its retesting once the problems have been fixed; and in a constantly changing environment – how frequently is sufficient to maintain your compliance obligations and to verify the progress of security improvements?
The answer obviously depends on the overall risk appetite of your organisation and the risk environment in which it operates. Security and risk teams should be able to run risk assessments as necessary – to assess the current state of security controls, identify any deficiencies and then, as with any quality improvement process, re-run the assessment to determine the success of the corrective actions.
On demand security reporting – the ultimate goal
In a dynamic risk environment, an annual penetration test or audit is, at this point, going to fall short. Perhaps for audit purposes it is a useful exercise, but it isn’t meaningful to derive security metrics for operational reporting or to gauge risk or compliance status.
Annual reviews, planned in advance, can be prepared for, and the resultant assessment is based on the “prepared” environment rather than a typical picture of how systems are managed. Plus, as we’ve already observed, systems even if they avoid an overnight “hit”, will drift away from a known state over time, in days, weeks, months – so the accuracy of the findings is quickly eroded.
Conversely trying to run audits or gather data manually on a weekly, or even monthly basis, compresses too much effort into too small a time window. It leads to short-cuts in the name of “ticking the audit box” – sampling, cherry picking environments to be assessed and subjective self-assessments don’t tell the full story. They provide an incomplete view of your security posture, and ultimately an inaccurate disclosure to senior executives and potentially even regulators. It’s for this reason that there has been a marked trend in security frameworks, advisories and regulatory requirements that organisations increase the frequency of security assessments. Whether it’s simply part of a security performance improvement program or a broader governance initiative, evidence-based decision making requires accurate, timely and actionable information.
The trend is clear, as this article shows, the need to assess, patch and improve your security, is ever-present – and needs to be done as regularly as possible.
Prompt security metrics
So the goal, we can conclude, is to find a way – an approach, process, service provider or tool – that can support and inform these interdependencies. The desire for a set of security KPIs, while still somewhat constrained by logistical and resource constraints, is growing stronger and more urgent.
The audit and risk assessment solutions we have developed to meet continuous compliance monitoring, on-demand audit and the validation and assessment of ransomware controls tick many of the boxes: simple, unobtrusive, evidence-based and empirical.
With the immediate availability of reliable information on security posture, reporting cycles come right down, and the “time at risk” can be slashed with little elapsed time between risk investigation and mitigation.
The increased trust that this engenders in both the IT environment and the teams responsible for their resilience means the business is more likely to invest in security improvement, because now senior executives too have access to status information on security controls for management and oversight.
The consultancy equation
For consultants, this changing face of risk assessment is even more challenging. Yes, they want to do more work and conduct as many assessments as possible, but they have to find a way to deliver value in a cost-effective way. An annual audit might be a big job, but it’s infrequent and leaves the consultant and client out of touch with the true risk position for some time. Again, time at risk.
With the advent of solutions that enable a rapid risk assessment, the cost of the security audit or assessment can be reduced, and the value of prompt security reporting becomes a real business opportunity. Suddenly the consultant/client relationship isn’t about a long list of issues once a year, it is one of a continuous and iterative cycle of assessment and security improvement, with more opportunity for the introduction of a systematic and responsive management methodology for cyber security – an increasingly concerning business risk for all stakeholders.