Ask the Expert: How can we justify investing further in our cyber program?
Kirk Hogan, CIO and Practice Lead, Security Operations at Iceberg Networks and Bill Vollono, Sales Engineer at Recorded Future sat down to answer more questions about how organizations should evaluate their cyber risk programs. The following is an edited transcript of the conversation.
Kirk Hogan: Investing in your cyber program is a tough question because people are challenged with the question “Do we know it’s working in the first place?” so the question becomes “How do I know I should continue to invest in the program?” First and foremost, we need to understand the difference between effectiveness and efficiency. A lot of people are trying to do programs with a volume of information or a volume of vulnerabilities or threats, but being able to target the right ones first helps you identify and build out models that are effective because I’ll guarantee you, if you can prove what you’re doing is doing the right things, then you’re going to get more investment. So, how do you find the “right things”? That’s the challenge that this question is really about.
Bill Vollono: The right things – it’s got to be around higher fidelity data that is applicable and relevant to your organization, your digital footprint or your technology stack. You really need a way that you can cut through the noise. When we talk about the number of risks, threats or vulnerabilities, that number is never going to reduce, it’s only going to continue to increase as we become a more digital world. The reality is today’s security practitioners are a strapped team. They can’t handle all of the noise from the alerts. The way to justify investing in your cyber program would be to make sure that you are looking for ways (technologies, products, team members) that are going to help reduce the noise, make the intelligence or data actionable and help drive an outcome rather than an overwhelming sense of whack-a-mole with alerts.
Kirk: I think it’s important too, rather than address “all”, you’re trying to address the right things. You need to justify, you need to keep a record of decision about why you are not addressing these other things. It isn’t that you can just focus on the right things and not address all things, you need to explain why you’re not addressing those other things with a justifiable reason. Either the threat is not viable or real in your environment, because a threat is either applicable or not. In your business-to-business, it changes, whether it applies or not. If you can prove that it was a threat to your business and talk about the probability or the likelihood of this being realized, now you can start to take the appropriate measures. That’s why I’m saying, if you can build trust and focus on the right things, the leadership, the management will see the impact of focusing in with the right models. The thing about a model (an operational model or strategy) is if you can get it to work for the most important things, you can get everyone to take a leap of faith that it will scale outward to handle volume, and more so, the appropriate volume. It’s about having the appropriate level of management on the vulnerabilities and the trick is [to figure out] what is appropriate.
Bill: You need correlation. You need to say “what are my assets?” and you need to compare that against “what are the threats or risks external to my organization?” Where do those converge? Ultimately, you need to understand the level of risk imposed by the external factor, but if it’s converging on an owned asset, then that’s where you’re going to be prioritizing, that’s why it should justify an escalation in priority.
Kirk: If you’re tuned in to some form of threat intelligence, you can take a measurement. Before you applied your model, the threat landscape was like this, then you exercise your model, execute your response. Then you again take another pulse check, you should be able to determine that I’ve made an impact because it should be a measurable difference. You can test to see whether your responses are correct.
Bill: We do that all the time, specifically looking for mean-time to detection, mean-time to resolution and obviously if you’re looking at a technology or a new process, you want to have your starting point, you want your finishing point, you want to see that delta. That will ideally point you to the direction of the outcomes that you want or you need to move on and assess the different process or solution.
Kirk: Exactly, and Bill you’ve identified the king metric and that is mean time to pick a word: containment, respond, remediate, configure. There is a mean time and if we want to shorten that interval, that is how you can prove that it is the right time to invest and keep on investing.
Bill: And it will scale up your workforce, your efficiency and ideally let you as an individual tackle other challenges that might be more important or things that you weren’t able to get to previously.