Five steps CISOs should consider to capitalize operational data for their security leadership strategy
Enterprise security leaders have a lot riding on their shoulders. You’re expected to manage security programs proactively, track results and progress closely, report in detail both to business and technical stakeholders on how corporate security is performing and identify what needs to be done better. All this, while being a major enabler for the enterprise’s business continuity.
Yet despite this huge range of responsibilities – literally from crafting strategy to overseeing day-to-day operations – most CISOs are still flying blind. They’re still using offline, stale data to drive planning, decision making and governance. Getting answers to key questions like “How prepared are we against ransomware?” or “Is my security policy actually being enforced?” can take weeks. And answers are often outdated right after they’re received.
Building a security data backbone is a way for security leaders to eliminate the overhead of ingesting data, and more effectively measure and communicate the value of their security programs. In the past three years, as we’ve built SeeMetrics, we’ve gathered vast amounts of data, stories (and horror stories) about how CISOs work to build a durable security data backbone.
Here are the five stages we’ve distilled from this experience:
-
Create a single source of truth
The starting point is the raw data that flows from the vast collection of diverse and distributed systems that comprise your security stack. The main challenge here is to stream data from cloud and on-prem sources into a centralized location. The goal is to create a reliable, single source of truth: one place for all security data.
In recent months, players like AWS and Snowflake have announced security data lake programs. Creating a security data lake that becomes the repository for all cybersecurity data – structured and unstructured – is a welcome way to organize and manage the information flowing from the stack. Yet for a security data lake to generate insights that management can use, there are many additional steps that need to be taken.
-
Normalize the data
So, you’ve got your operational data centralized. The problem is that different security tools use different data structures and different terminology. To normalize such a huge volume of diverse security data, it’s crucial to add contextual understanding of each one of the products that comprise the security stack. To make this happen, you need to bring in various security Subject Matter Experts (SMEs) to work alongside your analytics teams. Since each product’s data structure is different and contains hundreds of variants, these teams need to work together to “translate” data into a common lexicon for comparison with similar parameters across diverse systems.
-
Create coherent metrics
Once the data is normalized, it’s time to harvest insights. Yet insights are born of metrics – based on best practices, KPIs and other measurements. The question is: what exactly to measure and how? The ROI on complex metrics is often hard to justify. These tend to produce long and unactionable wish lists in Excel – but offer little actual value. The trick here is to strike a balance between metrics we can harvest from our stack and metrics that can create a logical narrative from a business perspective.
-
Follow the trends
Even the most valuable metrics need to be considered in the context of the dynamic and evolving business continuum. For example, while it’s important to see the current number of critical vulnerabilities, it’s even more important to know if there are more today than last month. The ability to demonstrate trends is a key tool to support quarterly or annual roadmap, procurement, manpower or training recommendations. It’s also a way to better focus attention and resources across BU’s and risk areas.
-
Evolve to data-driven security
Completed steps 1-4? Congratulations! You’ve freed up a huge number of security SMEs who can now focus on enhancing security instead of ingesting data. You’ve also empowered yourself with a security data backbone – a data-driven security decision making platform. Now, you’ll be able to understand whether performance is surpassing thresholds or falling short. This means that resource-intensive tasks can be more effectively managed. It also means that when it’s time to turn to the Board and request additional funds, these requests can be easily and clearly tied to actual and available indicators.
The Bottom Line
It’s not that the information that you need to drive your security leadership doesn’t exist today. It does. It just remains buried in operations. A security data backbone counters the effects of security tool sprawl. By creating and maintaining a data-driven security decision making platform, CISOs gain a new, multidimensional viewpoint. With continuous access to coherent and comprehensive security metrics and trends security leadership can tie benchmarks to reality, proactively enforce policies and easily communicate progress to organizational leaders.
Coherent metrics and insights derived from your security data backbone helps you see the forest through the trees, demonstrate value, and ensure your organization as a whole is safer and more productive.