New Security Measures
Enable Automation Upgrade
"The CISO in particular was left in a better position ahead of the client’s transition to ServiceNow..." Security Measures Enable Metrics Upgrade
A major UK investments organisation approached i-confidential to help with the implementation of an automated metrics collection solution.
We often find metrics automation requires expertise organisations lack in house. But this client had no security measures aligned to their cyber controls ready to use with the new solution.
Therefore, the organisation could not actively monitor the performance of key cyber controls. This presented a huge risk, as not being able to measure security activities could lead to underperformance going unnoticed.
i-confidential has previously completed similar engagements for other financial services organisations, which made us well suited to help. Further to that, our experience carrying out security assessments enabled us to rigorously uncover the underlying problems.
To understand what security measures were most important to the client, we assessed their security landscape. This positioning provided a starting point for change. We held collaborative sessions with key stakeholders to determine the most important controls to measure and what was missing from their control framework. The scope of what security measures were required was determined from this initial activity.
With the scope outlined, we then provided the required security measures. These came from a combination of our Security Metrics Library and new measures tailored to the organisation’s needs. Our extensive metrics library is based on our best practice security controls, and is aligned to industry standards (e.g. NIST/ISO).
Having established the measures that would best help the client, performance thresholds were then discussed with Control Owners. Our recommendation for these RAGs (Red, Amber, Green) was to start with a baseline. A smart approach to data ‘roll up’ and goal-driven RAG thresholds enables a focus on actions that is targeted at the right audiences. As the organisation’s security function matures, the RAGs on measures can be tightened.
In wrapping up the client engagement, we provided our final measures catalogue and analysis to help with future improvement. This included areas where the client did not currently have the capability or the data necessary to measure performance. As the client matures its security function, these will be areas to tackle next.
The client began its engagement with us without much security measurement taking place. By the end of our project, hundreds of new security measures were added. Not only was there a large increase in measurement, but there was also a better understanding of what was measured by everyone involved in the security function. The CISO in particular was left in a better position ahead of the client’s transition to ServiceNow and the use of automated metrics collection across the organisation.
Building good security metrics is complex and takes time. There are steps, however, that every organisation can take on their way to maturity. Getting the foundations in place makes it easier to automate in the future.