Since the advent of my career in IT, management has been striving for a “Single Pane Of Glass” to view how their IT environment is being managed. A capability where management and business stakeholders can see at a glance how their environment is performing and, if they choose, drill down to understand what things need addressing, why things are not working as intended, what is being done to address this, who is responsible, etc., etc.
Given the heightened importance of information and cyber security and its ability to impact business performance I would argue very strongly that providing a “Single Pane Of Glass” is fundamental so that senior executives within and outside of IT can understand the Information Security Posture of their organisation and be able to make informed decisions, based upon business-level visibility.
As we have discussed in previous blogs, Security Management is an ongoing process that evolves and changes over time in line with the ever-changing threat model. Security does not end by installing a Firewall or an Intrusion Detection System. In fact, it is debatable that technology alone actually delivers any protection at all if not actively backed up by effective security process.
The Information Security Posture of an organisation can be considered to be the security status of an enterprise’s networks, information, and systems based on Information Assurance resources (e.g., people, hardware, software, policies & processes) and capabilities in place to manage the defence of the enterprise and to react as the situation changes. Or, in other words a measure of how well an organisation can protect their information assets and how well they can react to anomalies & incidents.
The presentation of an organisation’s Information Security Posture in a “Single Pane Of Glass” is therefore a compelling capability in enforcing security across the business. However, as outlined above any representation of an organisation’s Information Security Posture must include a combination of indicators related to people, process & technology if it is to be truly representative. The presentation of technology metrics alone, without consideration of the people and processes involved in the activities performed to deliver that capability are inherently unrepresentative. Similarly the presentation of people & process metrics without the empirical data collected from technology infrastructure and business process output to substantiate compliance is also unrepresentative.
It is very clear to me, from talking with CISO’s over the last few years and my prior experience working as a security officer, that many organisations do not manage their risks well due to the fact that the information provided to senior managers and the Board is not meaningful (typically too little or too much) and does not provide a basis for action. Summarising and presenting information to senior management that is meaningful and facilitates reliably informed decisions is a critical capability that is currently missing.
I shall be discussing in subsequent posts how Caveris is tackling these challenges, so we can deliver to our customers dashboards that provide actionable information that can be used to make the informed decisions that are so important in delivering an effective information security program.