Why ‘agile risk analytics’ matters, part 1: the ‘risk’ bit
OK, we’ve defined what ARA is.
Now let’s pick apart the 2 dimensions of ‘why it matters’.
We’ll start with the ‘risk’ bit in this blog, then the next one will deal with the ‘agile analytics’ bit.
TL;DR — without a timely, compound view of what data tells you about your situation, you can’t get meaningful insights about your next best decision to reduce risk. And you can’t justify your decisions easily to the people you’re accountable to.
From a CxO perspective, ARA is primarily about being able to see the wood for the trees. It’s about understanding the macro picture your data can give you about ‘How good are we?’ and ‘What’s our next best decision?’, rather than being lost in a seemingly endless and deepening forest of tactical alerts and silod volumetrics from point solutions. You can think about this as ‘being in control’ of the situation.
Then, secondarily, ARA is about being able to ‘show you are in control’. It’s about having the evidence you need to justify your choices easily. As the CFO at one of our clients said when they were describing the problem they needed solving:
“I need to be able to point at evidence based on good, current data and tell shareholders ‘This is what justifies my level of comfort about our risk posture and governance’. And I can’t.”
Most security teams have been staring at a puzzle like the one below for way too long:
CISO teams and their CxOs know they need to change this, (and that unlocking insight from their data is the key to doing so).
This is not least because from one reporting period to the next, they are being asked more questions by more stakeholders, and those questions are getting harder all the time.
As a CIO at another client put it:
“The information I receive from individuals is usually ‘generally we’re doing well’, but this is in isolation and without perspective. [WARNING: HERE COMES THE SALES BIT] What the Panaseer platform did for us immediately, particularly with the cross-source analysis, was expose that we have a swiss cheese with holes everywhere.
Of course, while having a risk picture is critical, the real value is what you can do once you’ve got it. In other words, ‘Don’t bring me a problem’ (aka ‘You have a swiss cheese!’), ‘bring me a solution’ (aka ‘Tell me how to achieve better protection of the business, efficiently, so I can do more relevant and effective stuff with the resources I have.’)
This is more relevant today than ever, as the status quo many mature security teams tell us they face generally goes something like: “We’re spending 60–70% of budget on activities that align to the NIST pillars of ‘detect’ and ‘respond’; we’ve found we’re experiencing diminishing returns for the amount we’re investing; this is because the easy part of detecting stuff is plugging in tech and getting more alerts; the hard part is scaling our abiltiy to triage what matters. And that’s hard because we lack meta-context about our environment to be able to prioritise alerts effectively.”
It’s not unusal to hear stories like: ‘Our SOC gets 50k alerts a week, and is staffed by a small team of non-expert analysts that can only get to 10 alerts a day’. Hence, as one CISO put it:
“I want better security, not more alert triage.”
To deliver this, more and more security teams we talk to are pulling their focus back to the NIST pillars of ‘identify’ (i.e. understanding the digital topology and ‘patterns of life’ across devices, users and applications), and ‘protect’ (i.e. closing as many doors that create exposure to compromise with as few as possible ‘best cost’ actions). From another CISO we spoke to recently:
“I don’t want to hear about detective controls; I want preventative controls, or reactive, automated controls.”
If you’d like to learn more about how Panaseer delivers on that need, starting by automating the creation of a ‘device inventory’ that updates dynamically, (while also giving you a picture of controls’ coverage and operational consistency), just shoot us a note here.
After all, shouldn’t your data being doing more of the hard, manual work that those armies of consultants get paid for on a yearly basis before audit season? ;)