The Cybersecurity Tower of Babel Requires Focus on Business Fundamentals: Part 2

Written by Elad Yoran & Patricia Schouker.

Enterprises are facing a great deal of change driven by the recent proliferation of security tools. With so many solutions needed to cover different portions of the environment, the result has been the fragmentation of enterprise security into a chaotic disarray of reports and findings, making remediation more challenging. In Part 1 of this blog, we further explored why this is. Now, we’ll share CISOs’ recommendations for regaining an enterprise-level view of security.

Manage Cyber Stovepipes

With an abundance of deployed security tools, each covering a different area, prioritizing security issues can be difficult. This inundation of findings from specialized tools leads to backlogs of high-priority items that overwhelm even the most well-resourced and managed organizations. Where possible, security teams should centralize findings from disparate solutions into a single, consolidated list. Findings and data should be normalized into a common language, deduplicated, and re-prioritized accordingly with added context.

Automate Manual Processes

Currently, most security organizations manually manage the complicated processes by which security findings are remediated. Checklists are often maintained in spreadsheets and tasks are assigned to people and are tracked in periodic management meetings. These manual processes take time, are subject to human error, and introduce friction and delays. Automating processes and streamlining workflows shortens the time to risk remediation and saves organizational resources.

"Automating processes and streamlining communications from cybersecurity to IT, DevOps, OT, and other teams is critical and provides strategic benefits across the company. The result is faster, more effective security responses," commented Kirsten Davies, CISO for Unilever. “Bottom line, it enables us to reduce risk for the companies we serve, as we improve overall security.”

How should processes be automated? A helpful framework to automating remediation processes is to work along four dimensions, as follows:

• Who: Identify which individuals are responsible for remediating each item. These individuals will likely reside across different parts of the organization, and in large, dispersed companies, doing so is non-trivial.
• Where: Identify what issue tracking systems are used across the company, as different departments may use different ones (for example, Jira in one and ServiceNow in another).
• What: Extract and focus on the action item, i.e., what the fixer needs to do, rather than the security issue. For example, the security organization cares that a newly discovered vulnerability is closed, whereas the remediator in IT or DevOps wants to know what patch needs to be applied to what servers. Automated processes should communicate accurate and precise information and instructions regarding the actions the remediators are being asked to perform.
• When: Develop Service Level Agreements (SLAs) for issue prioritization hierarchies and then clearly communicate the expected action timelines to people in automated processes.

This approach will help you design processes that maximize results, increase efficiency, and improve overall workflow management.

Integrate and Implement Processes Across the Company

Working with peer organizations, such as IT, Engineering, DevOps, and others, is not straightforward, as the CISO is responsible for the organization's security, but resolving security issues is done by others, namely IT, Engineering, DevOps, and others. These other groups own and manage their respective technology stacks. Furthermore, cloud environments and subscription-based ‘as-a-Service’ solutions are often managed by non-technical users. No matter where they reside, the consistent characteristic is that they, not the security team, are able to make the necessary changes, whether implementing a patch, reconfiguring settings, eliminating unnecessary privileges, or rewriting code to fix bugs. It is therefore imperative to identify and develop effective communication channels with them.

“To successfully scale remediation, we need to get fast to the right individual person responsible for remediating each thing that needs attention, whether code base, a cloud application, a specific server that needs patching, etc. Then, we must work with this person using the workflows, processes, and tools that they use to manage their job, whether Jira, ServiceNow, or any other to ensure remediation being done on time,” said Hilik Kotler, CISO at SoFi.

Streamlining processes and communication with other functional teams may sound straightforward, but it is a challenging undertaking. CISOs are often unaware of the "owner" of a specific item that needs to be remedied. The process of identifying these individuals is more difficult than it seems in most organizations. Further, these remediators use different tools than the security team. These factors contribute to friction that impedes the necessary remediation.

Effective processes emphasize the needs of remediators whose day-to-day role is to improve the functionality, performance, and security of the item they are responsible for. As their daily work is to develop and implement a never-ending stream of items, the security-related items should be tracked and managed using the remediation teams’ issue tracking system. Automated security processes must be flexible to integrate with existing systems, so security issues are not handled differently from other IT or software issues and no remediator user training is needed.

Another important consideration to improving effectiveness of remediation processes is to maintain a "live" backlog system that automatically refreshes and updates priorities, closes issues that are no longer a risk, and keeps all parties synchronized. Such processes significantly reduce the operational overhead and friction involved in security remediation.

"It is key to figure out what you 'own' and who has ownership of that within the enterprise,” says Patti Titus, CISO at Bookings.com. “This patchwork of ownership and responsibility makes the job of fixing (protecting) it that much more daunting. But once these are determined, you can craft incentives to get the work done faster."

Develop and Track Metrics for Measuring Performance

Security metrics can validate a company's ability to reduce or mitigate risk. CISOs need measurable, repeatable, accurate metrics to measure the performance of the security teams, assess the effectiveness of inter-organizational remediation processes, and communicate effectively with C-level leadership and the Board of Directors.

“Metrics are essential to know that we are heading in the right direction, constantly improving security over time. For example, tracking a metric like Mean Time to Remediation, indicates that we can address security needs faster now than previously,” said Ariel Litvin, CISO for First Quality Enterprises.

Two important metrics to track are Mean Time to Remediation and Opened vs Closed items.

Mean Time to Remediation: Measure the average time it takes to remediate a problem. This metric can be tracked at a granular level, by priority, by type of remediation action, by individual or group responsible for remediation, and others.

The granular tracking of this metric enables leaders to identify which security and remediation teams are excelling versus which may need attention, be it resources, training, or better management.

Opened vs. Closed: Measure the number of opened and closed security issues. It can similarly be measured on a granular level. While spikes periodically happen, well run organizations respond better than poorly run ones and they should fix more problems than new problems are identified.

For example, when new security issues are identified it may indicate a lack of security controls in application development or in the provisioning of IT resources, something that can be worked on and improved over time.

By establishing a baseline and continuously aligning on metrics, CISOs can focus on organizational performance rather than solely on risk. Risk is a moment in time metric which can spike due to external events, whereas performance measures an organization’s ability to respond and recover.

These and other metrics enable CISOs to prioritize security needs holistically, measure tool efficacy, and manage and extend their security budget’s effectiveness; all with the goal of becoming a resilient organization that reduces risk over time and materially improves the company’s business success.

Going Forward

As organizations face limited cybersecurity budgets, they must address various challenges and requirements without relying on workforce expansion or increased spending. Rather, cybersecurity efficiency gains can be achieved through business fundamentals. CISOs must manage down, laterally, and up to effectively scale security, improve the security organization's performance, and determine the value of security investments.

Developing and implementing new cybersecurity workflows solutions is necessary, including consolidating and streamlining information, leveraging data science and context for prioritization, automating manual processes, and fostering collaboration across stakeholders. Data-driven decision-making, accompanied by relevant metrics, is essential to measuring progress, optimizing efforts, and achieving results.

About the Authors

Elad Yoran brings over 25 years of cybersecurity expertise, having founded, led and successfully exited several pioneering cyber companies. Elad serves as a Strategic Advisor to the Cloud Security Alliance and Seemplicity, and on various company and government and industry boards such as the Army Cyber Institute and formerly the FBI’s Information Technology Advisory Council. His companies have been acquired by industry giants like Tenable, Cisco, CyberArk, Forcepoint, McAfee, RSA, SafeNet, and Symantec. He is a former U.S. Army officer, a veteran of Operation Restore Hope in Mogadishu, Somalia, and holds an MBA from the Wharton School of the University of Pennsylvania, as well as a B.S. degree from the United States Military Academy at West Point.

Patricia Schouker is the founder of Energy Bridge Global and a subject matter expert in energy and security based in Washington D.C. She leads business and strategy at PolySwarm and previously served as a Policy Officer at the European Commission, focusing on US-EU energy relations and cybersecurity. Patricia is an active member of Future Congress, advocating for integrating scientific and technological knowledge into the U.S. legislative process. She is a fellow at Oxford University and The Payne Institute at Colorado School of Mines. Patricia earned her degrees in Political Science and Economics in London and a Master’s in Strategic Intelligence Studies in Washington D.C. Connect with her on X: @Patricia_Energy.