Some time ago, I wrote a blog about metrics and KPIs, and
how nobody really likes to be judged by them, no matter what the industry
is. Well, the same is said to be about
Cybersecurity as well. Probably one of
the two most important ones are the:
Ø The
Mean Time to Detect (MTTD): This
reflects how long it takes an IT Security team
to detect a threat variant.
Ø The
Mean Time to Respond (MMTR): This
reflects how long it takes for the IT Security team to make a security breach,
if one is occurring.
But one thing I failed to mention in that blog post is that
metrics are also key in these following documents:
Ø Incident
Response: This is the plan that details
how an IT Security team should respond to an incident.
Ø Disaster
Recovery: This is the plan that provides
not just how the IT Security team, but the entire company, should proceed to
restore mission critical processes and functions.
Ø Business
Continuity: This is the plan that provides
guidance as to how the company should restore back to a state of normalcy, at
least the same or better than what they were before.
For the purposes of this blog, we will just focus on
Incident Response. In today’s times, and
especially with the advent of Generative AI, simply creating a document and
booking it back on the shelf will no longer suffice. Rather, a much more comprehensive approach needs
to be taken, and this is technically referred to as the “Cyber Incident Response
Program”, also known as the “CSIRP” for short.
It is a policy that maps out the following:
Ø Responsibilities
of all the team members.
Ø The
expected outcomes.
Ø All the
objectives that Incident Response have been met, and better yet even exceed
expectations.
One of the key benefits of taking this holistic type of
approach is that all employees will be able to understand the ramifications and
gravity of just how seriously Incident Response should be taken. This is particularly for C-Suite, whose main vision of the company is unfortunately
driven by just pure numbers.
By having this kind of grasp of it, it is hoped that that
they will also see just how important Cybersecurity should be taken, and that
they should get away from the thinking that “if it hasn’t happened to us, then
it probably never will”. In this regard,
it is also important for the CISO to create this kind of policy keeping the
various Cyber priorities in mind.
Meaning, one size fits all document will no longer work. Rather, documentation needs to be created for
each kind of threat that can exist. For
example, there should be one dealing Ransomware, one for countering a Phishing
attack, etc. True, this is a tall order,
but here are two ways in which this can be broken down:
1) Take
the whole view:
Just do not restrict you and
your IT Security team to just the well-known and established metrics and
KPIs. Rather, try to back this trend by first
taking a critical look at all the data that you have collected about any
security breaches that may have hit your business. From there, see any unhidden trends that you
can create a new metric out of, and try to apply that for the future. Some key areas that should be examined
include:
Ø Efficiencies
Ø Any
gaps, weaknesses, or vulnerabilities that went undetected which resulted in
that particular security breach occurring.
Ø The
resources you need. Trying to put this
in either quantitative or qualitative terms will go a long way when approaching
the other members of the C-Suite when it comes time to ask for funding your Cyber-based
initiatives.
2) Usefulness:
After you have defined your
new metrics and KPIs for the CSIRP, it
is important at some later point in time for both you and your IT Security team
to take stock of them and evaluate each one of them, and determine how they can
be made going better into the future. A
good one to look at here is vulnerability detection. Are you not only fast enough to find them,
but also to remediate them? If the number
is lower than you want it to be, then you know that metric needs to be refined to
be where you want to be. But keep in mind that refining simply does not mean
changing the metric around. Rather, all
the variables that go into it need to be very carefully looked at, which is a direct
function of what your IT Security team needs to be doing.
3) Proactiveness:
It is important to keep in
mind that you should not let your newly created metrics and KPIs for the CSRIP go
stale. Rather, you also need to be initiative-taking
about them and determine which ones should be retired and if any other new ones
must be created. Remember, the Cyber Threat
Landscape is always changing, and the
metrics and KPIs that you initially produced need to reflect that. In other words, it is a process of evolvement,
and it should not ever be viewed as merely as a static one.
4) Communications:
You and your IT Security
team need to get away from living in the world of silos. Whatever you do in the CSIRP will impact everybody
else in your company, and this CSIRP and the benefits that it brings to the table
need to be clearly and effectively communicated, in a transparent way.
My Thoughts on This:
One of the other primary benefits of creating and implementing
a CSIRP is that this will help you immensely to come into compliance with the many
data privacy laws that abound today, such as the GDPR and the CCPA. But even more importantly, this will help to
mitigate the chances of any audits being made by regulators and facing severe
financial penalties.
No comments:
Post a Comment