Three Things CISOs Can Do to Drive Accountability

Accountability is often in short supply in cybersecurity. Most CISOs lack the information to distribute accountability, but Mario Duarte thinks he has a solution

When it comes to keeping a business and its data safe, there are some important questions CISOs and security leaders need to ask themselves. How many of the threats flagged by your security vendors turned out to be false positives? Who introduced the most vulnerabilities to the production environment? How long will it take for remediation teams to roll out critical patches, and how does this vary across different clouds?

Answers to these questions provide valuable insights for security leaders to drive accountability, which has been in short supply in the industry. However, the answers are often spread across different systems and tools across an organisation. CISOs cannot hold vendors, teams, and processes accountable without a unified view of what’s happening. Moreover, these disparate tools don’t retain data for long enough to allow security leaders to uncover meaningful patterns and insights.

To tackle these barriers, security leaders can leverage security data lakes to consolidate security data regardless of quantity and variety. First, what’s a security data lake? A data lake is a repository for unstructured and structured data stored in its native format. A security data lake is designed to store log files and other security data.

Security data lakes make it possible to drive real accountability across organisations in two primary ways:

• Making it possible to separate storage from compute – a cost-effective way to store security data at scale for more extended periods.
• Incorporating security data into an organisation’s general-purpose analytics platform, enabling additional context and delivering insights through standard reporting tools.

Accountability must be top of mind for any CISO looking to implement security data lakes. Accountability is a useful way to improve an organisation’s overall security posture. Here are three examples of how this can be achieved.

1: Using data to evaluate vendors

Security vendors are often selected and evaluated based on simple criteria, such as whether they support specific data sources and applications. However, with a lack of information, decision-makers cannot correctly evaluate vendors on more pertinent factors, including vulnerability prioritisation accuracy or threat detection performance.

This is where security data lakes come in – allowing decision-makers to identify gaps between what a vendor offers and what the organisation needs. For example, when businesses analyse data from their ticketing system, security data lakes provide an overview of the false positives identified by the vendor, as well as the number of irrelevant vulnerability findings.

It’s important to consider that a one-size solution doesn’t fit all. So, while a security product may work for one business, it might not meet the needs of another. By measuring performance across key metrics, organisations can work with vendors to improve their tools or determine if they need a better tool altogether.

2: Identifying internal needs and changes

Accessing and analysing historical data helps to tackle issues when remediation teams aren’t addressing vulnerabilities quickly and consistently enough. Doing so will also identify processes that need to be updated to boost efficiency. This can be adjusting workflows or restructuring the teams, for example, to meet SLAs.

By implementing security data lakes, businesses can apply context at query time from non-security sources, such as combining HR’s termination data with security access policies to flag active user IDs when employees have already left the company. Additionally, data can be correlated to activities such as awareness training, phishing exercises, and actual malware cases, which helps to prove that departments are at greater risk of compromise when training isn’t completed.

3: Gaining insights from unified data

Security data lakes can also track the origin and patterns of the vulnerabilities when new components are shipped into companies’ infrastructure from the same groups, whether from developers, SREs, or other entities. However, achieving this level of insight is hard when data is spread across multiple tools and stored for short periods. Security teams must have quantified metrics backed by data to fulfil their role in a shared responsibility model.

Driving better performance and security

The ultimate goal of having accountability is to support teams to do their jobs better and raise an organisation’s overall security profile. It’s not about naming and shaming individuals – which can greatly impact morale. There’s an old saying that you can’t manage what you can’t measure, which is highly relevant to security teams. With the increasingly complex threats and standards set by boards, regulators, and customers, CISOs must drive accountability to succeed.