A two-pronged approach can help tackle pain points and bolster security posture in cyber, says Mark Ashworth, Information Security Lead at the cyber firm Panaseer.
Security teams are becoming overwhelmed and burnt out. They’re faced with more frequent and targeted cyberattacks, a global cyber skills shortage of 3.5m open positions, increased scrutiny from regulators, and data overload.
It’s clear that something needs to change. Outdated, siloed ways of working cannot effectively protect enterprises, nor combat the growing frustrations of cybersecurity teams and the challenge of staff churn. Recent research has revealed the scale of the problem. Panaseer found that a lack of visibility and understanding of security posture is the leading cause of security leader frustrations, while ineffective tools and complex data have a greater influence on resignations than salaries.
Security leaders need to find new ways to bolster their organisations’ security posture, improve their teams’ wellbeing and retain staff. Transparency and knowledge sharing have key roles to play in this.
Transparency from the inside out
For nine out of ten security leaders, security control failures are the number one reason for data breaches. Considering almost all (98pc) breaches can be prevented by properly implementing basic cyber hygiene, but still occur due to gaps in controls, it comes as no surprise that security teams are frustrated. Indeed, 70pc of cybersecurity leaders say their top frustration is the inability to continuously measure enterprise-wide security posture and identify control failures.
To solve this industry-wide pain point, achieving transparency across all assets and gaining a ‘single source of truth’ is crucial. It’s the difference between expecting a control to be working effectively and knowing that it is. But more tools aren’t the answer. In fact, adding to the security stack only serves to increase complexity for overwhelmed security professionals. This goes against security best practice by adding risk and overcomplicating security practices.
Organisations ultimately already have all the tools they need to protect against the majority of cyberattacks. It is therefore a case of optimising existing tools, improving security posture and gaining the visibility needed to ensure they are deployed and working effectively.
Solutions that aggregate and correlate data from security, IT and business tools to provide a unified view of assets and security controls coverage, such as Continuous Controls Monitoring, are key to achieving this improved security posture management. By establishing transparency from the inside out, security teams can identify where there may be gaps and eradicate control failures.
Knowing what to measure
It’s important to not fall into the trap of being entirely inward-looking when it comes to cybersecurity. Indeed, it’s also critical to understand what peers and other security leaders in your industry are doing.
Knowing what to measure is a significant frustration for security leaders. According to the recent Panaseer report, 47pc simply don’t know the right security metrics to monitor and over 50pc don’t have the resources to help them do it. While broad cybersecurity frameworks, such as NIST, provide basic guidance for organisations, they don’t explain how these can be applied. It’s important security teams go beyond this guidance and develop their own metrics, measures and standards to realise where further improvements can be made.
By sharing knowledge and best practice, security professionals are better positioned to know exactly what they should be measuring and can consequently design their cybersecurity strategies with the standards and objectives best suited to their business, industry and risk appetite. Considering that reliable security controls guidance is only just starting to emerge, knowledge-sharing forums are an excellent way to have transparent, open conversations and help security professionals learn from the experience of others. Enterprises are also increasingly looking to security partners and trusted third parties to support this endeavour and bolster their security posture management.
Looking ahead
As we enter 2023, it’s inevitable that we’ll continue to see breaches that could have been prevented. To bolster security posture and overcome security professionals’ frustrations, nurturing greater transparency and achieving holistic visibility is key. This is vital both within an organisation, to identify gaps in security controls and reduce security team workloads, but also across industry, to improve security leader confidence with transparent discussions with peers.
