From the comparative to the superlative: developing cybersecurity excellence with CCM  - Photo by Lewis Kang'ethe Ngugi on UnsplashEvery business now knows that effective cybersecurity is now essential. But what is ‘effective’ cybersecurity? What does ‘good’ actually look like? Or, indeed, the best?

The answer is daunting for many business and technology leaders. It is no longer a simple case of ensuring everyone changes passwords every six months. Modern cybersecurity is an ongoing discipline that spans three levels – the strategic, the technological, and the commercial.

Strategically, excellent cyber security must afford continuous monitoring rather than periodic audits, with pre-defined security controls. These must span digital and non-digital aspects of the business and account for legacy investments.

The reason for this all-encompassing visibility is that to be properly compliant, or to have confidence in your cybersecurity profile, a business must be able to feed in all and any data into any framework and any control. Anything less than this creates blind spots.

Technologically, cybersecurity excellence demands automation, as these controls are monitored 24/7/365 without human intervention. They must be open so as to integrate any data source and then measure the technology and performance of a business against any framework.

Commercially, this interaction of any controls, data source and framework must be without disruption to the business. In many cases, cybersecurity excellence is synonymous with it being delivered as a managed service.

Enter Continuous Control Monitoring

Pulling together these three aspects into a cohesive proposition that can drive businesses forward has led to the development of continuous controls monitoring (CCM).

As a strategic choice, (CCM) seeks to reduce business losses and then improve processes through continuous monitoring of financial and other transactional applications. It is founded on making all assets visible. It then uses that information to integrate cyber and compliance teams and processes.

This drives risk down. In a world where compliance teams must adhere to even more regulations, which are ever more complex, the risk is increasing exponentially. It is no longer acceptable for “good” security to be manual.

That mission statement puts CCM at the heart of cybersecurity. That’s because the business can apply CCM to its cybersecurity technologies and quickly, automatically assess if they are doing what they should and how they should.

Technologically, there are choices as to how this can be achieved. The Quod Orbis platform was purpose-built for CCM in Go (sometimes called Golang). It is a powerful statically typed, compiled, high‑level programming language designed at Google. Go is syntactically similar to C and comes with memory safety, structural typing, and CSP‑style concurrency.

The result is low-code/ no-code ease and simplicity, with data connections specified by dragging and dropping blocks on a screen. Those blocks can be anything that can be defined in the language of metrics or controls—key performance indicators, key risk indicators, or data sources specified by frameworks such as NIST, ISO, or PCI.

The ‘universal language’ of metrics means it is possible to develop a universal connection – regardless of what actually does the measuring.

It creates extremely rapid onboarding between any source, framework, and platform.

Businesses should be able to consume this “as a service”

Commercially, all this needs to be delivered and consumed as a service. Businesses should not have to invest in these capabilities themselves. Finding someone with the necessary skill set to understand how your business functions against a dynamic landscape of regulations and threats, will be long and expensive.

Business leaders just need to pull the reports, know that the security-related information that they’re seeing is accurate, and use this up-to-date data for higher-value tasks. It is built on the confidence that their controls ensure compliance, even as regulations and frameworks evolve. These leaders want proactive eyes on developing threats or changes, backed by experience, so “as a service” makes commercial sense.

Seeing this in action: proof of value

Proof of value projects enabling customers to see a solution working for them and delivering value are great indicators here. With a wide array of controls to define, and data sources to integrate, even a small-scale pilot can take months.

An advanced approach collapses this period to weeks or even days. It is possible to connect to multiple data sources within minutes. The use of security-monitoring and ITSM tools, patching and role-based access technologies, and even ‘joiners, movers, and leavers’ tools for offboarding management follow within days.

The collation of data and the use of appropriate controls and metrics, as well as dashboards and ‘gauges’ to monitor key risk indicators, should be available quickly. It is all presented in customer-specified formats and sensitivity levels, sometimes even replicating a pre-existing report.

Often, the initial picture revealed is a dense threat map. It highlights users who have not been offboarded, high numbers of vulnerabilities, too many users with global-level systems administrator rights, and unpatched applications and outdated firmware. It is often a moment of sober realisation for many companies as they see the poor state of their compliance posture, the lack of visibility into assets and the subsequent exposure to risk.

This is the point that the business realises how much work they face to develop a cybersecurity posture that is not only better, but the best.


Quod OrbisQuod Orbis reduces exposure to cyber risk and maximises security performance through automated, highly visible monitoring and auditing of controls.  This drives better risk investment decisions at the enterprise level.

 

LEAVE A REPLY

Please enter your comment!
Please enter your name here