• Stephen Main



The evolution of control assurance

When I first started out in information security some 25 years ago, enterprises were just starting to wake up to the need to assess the adequacy of their security arrangements using a structured approach. The question we asked was ‘are we good or bad at implementing best practice, or somewhere in between?’. To find out, we would spend months developing detailed questionnaires (comprising hundreds of questions about specific information security activities / controls) that would then take weeks to complete - usually in a workshop setting, with plenty of disagreement along the way.

The aim was to understand where we might have significant deficiencies in our control arrangements. We would aim to repeat the exercise every two years. It was static (it aged fast), subjective, costly and – perhaps most importantly - rarely reflected the organisation’s true risk profile.

Since then, information security assurance and audit have matured in terms of business backing and scope (supply chain assurance draws on the same fundamental concepts, for example), budget, people resources and mechanisms. Similarly, formal security accreditation has evolved in the form of certifications such as ISO 27001. But the same underlying issues remain. Control assurance in cyber security is still largely based on point in time assessments that are manual, expensive, invasive to the business, and difficult to orchestrate and consolidate. Ultimately, many organisations still ‘go through the motions’ to assess the state of their security controls ‘on the ground’ because they know they should do it as a matter of good practice. Yet they are ill-prepared to draw meaningful conclusions that truly improve management decision-making.

Even where control assessments are conducted efficiently and the results consolidated well, there is still usually a disconnect between the outputs of this activity and the organisation’s cyber risk management approach. And therein lies another challenge… The increasing need to apply risk-based principles The cyber risk dimension is becoming increasingly important. It is now commonly accepted that reliance on a ‘tick box’, compliance-based approach to cyber security is no longer viable. Organisations are just too complex in terms of information structures, technical architectures and wider business relationships to enable everything to be secured to exactly the same standard, all of the time.

Set this against the backdrop of increasingly stretched budgets and an accelerated cyber threat landscape, and the need to target resources where they are most needed becomes acute. This is why an effective risk-based approach to cyber security is vital to the modern enterprise. Unless cyber security investment is aligned with the need to protect business-critical information assets against the cyber threats that are most likely to compromise them, cyber initiatives are likely to amount to little more than throwing a lot of mud at the wall and hoping that some of it will stick. Many mature organisations now apply risk-based principles (such as cyber risk assessment) to determine the business importance of information assets, and then identify protection measures (controls) in line with the risk profile of those assets. At the same time, they’ll implement compliance programs to make sure they’re staying on top of their cyber obligations to stakeholders and regulators. Harmonising these approaches and then operationalising them so that they are consistent, effective and efficient is the difficult part!

The role of ICAS

This is where ICAS (Information and Cyber Assurance Suite) comes in. ICAS delivers continuous, automated controls assurance in a way that equips you to make good decisions, fast. Additionally, because ICAS incorporates CRMG’s comprehensive Threat / Control Matrix, it indicates the extent to which your information assets are likely to be exposed to a range of specific cyber threats – improving situational awareness when it comes to your cyber risk profile.

ICAS is effective in a range of scenarios, as it can be deployed to:

• Deliver assurance to management that the business’ most critical information assets are secured to an acceptable degree, all of the time

• Fast-track cyber risk assessment activity by delivering reliable information about current vulnerabilities (control weaknesses) in technical infrastructure

• Provide an indicator of likely cyber threat exposure as a result of current control status

• Feed the business’ GRC platform with reliable information about current cyber security status, helping to prevent ‘garbage in / garbage out’ syndrome

• Monitor the extent to which the organisation remains compliant on a day-to-day basis with recognised standards such as ISO 27001

• Leverage OSINT capability to deliver continuous controls monitoring to enhance supplier and third[1]party assurance programs (both outward and inward looking)

• Support formal audit activity by maintaining a blockchain-secured repository of evidence

• Demonstrate that specialist security products are configured to their full potential.

In short, ICAS removes many of the headaches and costs associated with manual (often fragmented) cyber security control assurance and compliance activity, whilst delivering insights that will genuinely make a difference in delivering effective, risk-based cyber protection for the long haul.

Simon Rycroft CRMG

Cyber Risk Management Group (CRMG) is a leading provider of cyber security and information risk services and tools.



Information Secured Assured

Caveris Blog