No one wants to be caught off guard by a cyber attack. But simply buying and deploying the latest cyber security products and services is no guarantee of success. Minimizing the risk of a breach requires you to periodically assess the effectiveness of your security program so that you know your organization remains sufficiently protected. Here is a look at three classes of cyber security assessment tools in use today and what each has to offer for your business.
Tool Class 1: Checklists
Simple tools like checklists are very common in the field of governance, risk management and compliance, as well as in cyber insurance. Checklists are simple to implement and may only consist of a piece of paper or a spreadsheet that poses questions about your organization’s cyber security technologies and policies. Such a list might also enumerate a series of actions for you to complete that may help reduce your risk of an attack or breach.
While simple to initiate, checklists falter in that they are both constrained by a preset number of questions and require a great deal of manual effort to complete and maintain. In addition, checklists can suffer from subjectivity when answers depend heavily on who is answering the questions at any given moment.
Nonetheless, checklists do have their purpose in getting a broad overview of your organization’s situation and helping you meet compliance requirements. These tools can help you find answers to questions that had not already crossed your mind, such as whether you have staff and executives dedicated to cyber security or what your service-level agreements with your providers look like.
Tool Class 2: Security Analytics
The next level of cyber security assessment consists of tools for security analytics — perhaps more accurately called security statistics. These tools can track and report a wide variety of data about the security of your IT environment: how many vulnerabilities were detected in the last month, how many systems were patched, how many firewall hits occurred or how many times a wrong password was entered.
Although this information may seem useful on its own, it is divorced from any greater business context. For example, an unusually high number of incorrect passwords entered for a particular month might be due to the fact that a large number of employees had to create a new password that month. In addition, these security analytics tools often present only a single snapshot in time, without any time-series or temporal elements. Without the surrounding information, users are left in the dark about whether a rise or fall in any given statistic is due to their own actions, organizational policies, a technical misconfiguration or some other cause such as an attack.
An additional caution with security analytics tools is that interpreting these figures can be a highly subjective process. Statisticians will be the first to tell you that you can create any number of narratives simply by manipulating the same data in different ways. Maintaining a consistent process across analysts is critical for reliable results. In deploying security analytics tools, the onus remains on the enterprise to staff knowledgeable analysts who can interpret the results with a high level of fidelity.
Despite these limitations, security analytics tools do have a place in an organization’s cyber security posture. Statistics provide some crucial perspective by helping you understand the scope and impact of the things that happen within your network. Awareness of your environment will help prioritize and direct your daily operations.
Tool Class 3: Business Intelligence
In closing, we come to the most advanced stage of cyber security assessment tools: those that make use of business intelligence (BI). Unlike the other two tool classes, BI platforms apply a consistent model or framework through which data points are viewed and interpreted. These products often use artificial intelligence and machine learning techniques to take in data, make decisions, receive feedback and adjust their behavior accordingly so that they can make better, wiser decisions over time.
Of course, there is a downside to applying BI: the difficulty involved in reaching this stage in the first place. The information security field still lacks a common standard that describes exactly which metrics are important for an organization to measure. As such, choosing a framework can be a politically fraught process filled with disagreements and tug-of-war games. Once the negotiations have concluded, however, most organizations find that the value supplied by BI platforms was well worth the effort.
Previously, we mentioned that security analytics tools are often limited because they lack the context behind them. As a metaphor, consider the project of building a house. With the plans before you, a particular wall may be 12 units long. But without the scale – a common method for measuring – the number of units is meaningless — it could be meters, yards, feet, furlongs or something else entirely. The scale, defining the model upon which the plans are built, allows everyone to move forward with the project and verify the outcomes. This common understanding is exactly what BI platforms are able to provide.
Although it seems likely that business intelligence tools are the way of the future, it is equally true that each of these tool classes has its own time and place, depending on the organization. What is also important to note is that BI tools are an equally plausible alternative, if not a preferable one, to checklists and security analytics tools. Any organization, from a small business to a massive corporation, can use BI as part of its cyber security strategy.