Security organizations invest substantial effort into developing comprehensive risk assessments that cover threats, compliance with frameworks, and the adoption of organizational policies. These assessments form the basis of the organization’s strategic plan for the year, outlining the priorities for addressing key risks and threats in the twelve months ahead. This annual report is often conducted with the assistance of consultancy firms.
However, monitoring and reporting on the progress of this plan comes with several challenges. CISOs and GRC teams must govern and monitor its execution to ensure it aligns with identified risks. At the same time, SMEs and other practitioners need clear ongoing direction. It can be highly time-consuming to gather input from numerous teams and data sources and ensure that their activities align with the overall goal. In today's dynamic cybersecurity environment with many moving pieces, they often struggle with dated priorities and waste time on static spreadsheets.
Alignment among different stakeholders, vertically and horizontally, is crucial for all efforts to have a tangible impact. This is where a unified workflow comes into play.
Key Solutions to Achieve a Unified Workflow
Connecting Siloed Tools and Dashboards
When the tools and dashboards used by different teams are siloed, each tool provides only a partial view, causing individual teams to miss the strategic big-picture risk context. The solution lies in connecting individual workflows to the broader organizational picture and continually aligning policies. Ensuring all measurements stem from a single, uninterrupted source of data across all tools and systems guarantees that all teams within the security organization are aligned and relying on the same data, albeit from different perspectives.
More streamlined context-based prioritization
Let’s say a security leader wants to prioritize their organization’s long list of vulnerabilities based on what is critical to the business.
To do so, here’s what the workflow would look like:
- Get open vulnerabilities data from a vulnerability scanner such as Wiz or Tenable.
- Integrate the organizational context from a configuration management tool such as CMDB to identify who owns the AWS accounts, which business units are related, which are internet-facing, which applications are the most critical, etc.
- Correlate vulnerable assets with EDR coverage data from a tool such as CrowdStrike to know which assets are not covered or have been compromised.
When all the data from the stack is unified and the security leader can filter for business context i.e., which business unit? Which assets? Which environment? — then the security leader has the ability to drill down into the context that matters and apply his/her own judgment to prioritize vulnerabilities, as opposed to the old way of manually collecting input and comparing.
Ready-to-use and reusable metrics
Establishing consistent metrics and measurements is crucial for gauging performance against set KPIs. With a common metrics framework and a universal metrics language, different teams track, interpret, and report risk reduction in the same way. They have a shared understanding of priorities and expectations, enabling them to be consistent across tasks and time.
Let’s assume the company policy mandates MFA for all admins.
This necessitates clear definitions e.g., what constitutes an admin, what are the approved MFA factors, and what is the level of enforcement that’s considered successful?
This is for one policy — imagine the complexity of having to do this for each and every policy. A unified metrics language facilitates this process and helps the security team operationalize all policies without having to invest huge resources to answer these questions.
Translating high-level risk to low-level metrics
Managing risk poses a challenge for management due to the gap between high-level risk statements versus detailed operational metrics. While risks indicate potential costs to the company, metrics focus on compliance with policies and specific outcomes. This disparity can result in a disconnect, making it difficult to align strategic decisions with actual risk exposure.
For example, we know that most organizations are breached through third party vulnerabilities. CISOs and executives will likely prioritize monitoring these third parties and define policies for oversight.
However, translating these priorities into metrics would entail measuring aspects such as: how many open vulnerabilities does each vendor have? What is the SLA for each vendor? How often should vendor assessments be conducted? What goals need to be set and how should vendor postures be reviewed? What is the external scanning cadence for third-party providers?
To translate high-level strategic priorities into actionable, operational metrics for day-to-day operations, leaders and teams need a synchronized, organized, and continuous view of the answers. To achieve this, an automated metrics program is the solution. With this approach, metrics would be automatically organized per policy, as a template, that could easily be customized – easily added or removed per the organization’s context. The bottom line is, the security team can start operationalizing the policy as a process rather than wasting time defining which metrics matter.
Connecting the Dots for a Multiplier Effect
Using a cybersecurity data fabric with an automated metrics layer will help unify strategic risk assessment and day-to-day priorities into an effective and cohesive workstream, driving effective governance, timely decision-making, and a unified approach to risk management.
.png)
