A Practical Guide to Risk-Based Reporting

There’s no question about it: Today’s cybersecurity landscape is evolving faster than ever. From the ongoing migration to the cloud to the widespread shift to remote work, there are a variety of factors causing your enterprise’s attack surface to expand rapidly — exposing you to new and changing cyber risks, while making it increasingly difficult to gain continuous, broad visibility into your critical assets. At the same time, you’re being tasked to meet the shifting expectations of your role with increasingly limited time and resources.

As budgets decrease and teams continue to adapt to our “new normal” operating environment, it’s more important than ever to have a strong strategy in place for assessing, monitoring, and reporting on cyber risk and security program performance over time.

After all, some of the most devastating data breaches in history have occurred when security alerts and warnings were ignored. The Equifax hack could have been avoided if a security technician hadn’t overlooked an email requesting a critical security patch. The SEC did nothing with years of urgent recommendations to encrypt sensitive financial data that would go on to be breached. The Home Depot breach of 56 million payment card numbers was attributed to managers who repeatedly ignored warnings from staff that security wasn’t strict enough. (The managers responded, according to the New York Times, “we sell hammers.”)

And now, cyber attacks are on the rise as malicious actors are taking advantage of the potential flaws in our new operating environment to advance their nefarious objectives. According to a recently conducted study by the Information Systems Security Association (ISSA) and Enterprise Strategy Group (ESG), cybersecurity professionals saw a 63% increase in cyber attacks related to the COVID-19 pandemic.

Effective communication between different levels of a cybersecurity organization — from practitioners to managers to the C-suite and the Board — can mean the difference between secure systems and massive incidents. And reports, far from being a formality or busy work, are the central mechanism of this communication.

By taking a risk-based approach to cybersecurity reporting, you can assess performance based on actual exposure to cyber threats, provide actionable context, highlight the value of your cybersecurity efforts, and ensure you’re getting the most out of your limited time and resources.

In this ebook, we’ll take a look at the importance of cybersecurity reporting — and the techniques, software, and methodologies that are revolutionizing the reporting process at every level of the organization.

An important distinction: When we refer to reports, we’re talking about collections of data and insights compiled by people, not the alerts automatically generated by software tools.

Automatic alerts, though hugely valuable, cannot be substituted for real interpersonal communication. Firstly, there are simply too many alerts to take them all seriously. In a 2018 Imperva survey, 55% of IT professionals reported receiving more than 10,000 threats daily — while 27% noted more than one million.

Secondly, alerts generated by machines are too easy to dismiss without a human to understand them, translate them into non technical language, and use them to advocate for actionable change. In the Imperva survey, 53% of respondents indicated that, amongst all the noise, their organization’s Security Operations Center (SOC) has struggled to pinpoint which security incidents are critical. To make matters more complex, the SOC is stretched more thinly than ever before — with many teams having to tackle additional functions, such as remote support, in our “new normal” operating environment.

In many cases, alerts on their own are insufficient. In order to take the alerts and convert them into actionable reporting, security teams must assess the context and have direction on how to separate the signal from the noise.

The contents of cybersecurity reports are highly variable, and depend on the nature of the report, its creator, and its intended recipient. However there are certain factors that can be used to determine whether any cybersecurity report is effective:

• Does the report convey actionable information in context? • Is the report concise enough that key findings don’t get buried? • Is the language in the report clear enough for a non-technical audience to understand?

• Does the report relate findings back to cyber risk? When organizations lack meaningful internal reporting about cybersecurity, it can typically be attributed to a failure to meet one or more of the criteria listed above.

Reports that provide numbers without insights or context are more likely to be overlooked, especially if the reader doesn’t have the skills or knowledge to draw conclusions from the data. Reports that contain too much information or information that’s too technical can cause frustration, leading readers to wish they had “a handheld translator, the kind they use in Star Trek,” as one top executive put it.

Among these components, the last — does the report relate findings back to cyber risk? — may be the most important. This question forms the basis of a risk-based reporting approach.

Risk-based cybersecurity reporting, as opposed to comprehensive, compliance-based, or incident-based reporting, is the approach best suited to reducing an organization’s actual exposure to cyber threats. Following a risk-based approach to cybersecurity reporting can help individuals and teams at all levels of an organization focus on the most significant issues without falling victim to alert fatigue and ignored warnings.

There are many ways to practice risk-based reporting, but the following recommendations can help your organization get there.

• Place the highest-risk items front and center in the report.

• Assign a “risk score” to key findings or recommendations.

• Put findings in context by comparing metrics to past performance, peers, and competitors.

• Frame risk in business terms to help executives and leaders understand the ramifications of findings.

• Report on critical items frequently, or implement continuous reporting dashboards.

Metrics presented in a vacuum are rarely actionable. What does it mean, for example, that your firewall has stopped 1,500 intrusions this month? Is that a lot, or a little?

A risk-based cybersecurity report delivers findings in context, helping the recipient understand what role a number plays in the overall risk landscape of the organization. This context may include any of the following:

• Past performance: What were these same numbers like last month, or last quarter? Are you improving or getting worse over time?

• Risk concentration: How are different business units and subsidiaries across your organization performing?

• Industry benchmarks: How does your performance compare to your peers and competitors?

• Financial quantification: What’s at stake financially with your current risk posture?

• Cybersecurity frameworks: How do your findings align to cybersecurity frameworks for your industry — such as the NIST Framework for Improving Critical Infrastructure Security, CIS Critical Security Controls, ISO 27001, or PCI DSS?

With the appropriate context, practitioners, managers, executives, and Board members can all make more confident decisions about cybersecurity, assigning the appropriate resources to the projects most likely to reduce risk across the organization.

....more available upon request