Risk Analytics for Continuous Security: A Fireside/hose Chat about Integrated Risk Management

Continuous Security

I was speaking to one of our CISO customers yesterday. She was a little frazzled! She said to me:

“I have been working with the risk managers on risk analysis all day on my C1Risk platform. I am looking forward to starting over tomorrow, and the day after and the day after…”

There was a hint of sarcasm but there was also a compliment - moving to an integrated risk management platform enabled our client to implement Continuous Security,  a phrase that is being adopted as a standard requirement for cybersecurity practices in both the commercial and government sectors today. 

Findings from the Fire Hose

Read the Forbes Magazine 2022 Most Common Cyber Threats Report

The unfortunate reality is that there are new news headlines every day talking about a wide range of the latest risks companies facewhether from internal or external sources. 

Today, organizations face a daunting task to maintain information security and tackle evolving risks, with data stored across numerous devices in multiple disparate locations along with a move to remote work and a host of other factors that need to be effectively monitored and managed.

Is a Risk Register Enough?

The need for risk monitoring and a Risk Register to track company risk is more critical than ever. Risk is constantly evolving. As such, how do you keep your Risk Register current and representative of your risk exposure? Certainly, the spreadsheet method is unsustainable. How do you monitor which potential risks become actual findings to better understand the strengths and weaknesses of your risk management controls and security policies?

Risk Detection is not Risk Management

Many companies turn to solutions like Qualys, Nessus and Nexpose to monitor their systems for threat exposure and vulnerabilities. 

Similarly, solutions like BlackKite and WhiteHawk serve as great resources for monitoring supply chain risk beyond or as a supplement to assessment security reviews.

The upside to monitoring solutions is the ongoing data they provide. The challenge to monitoring solutions is the ongoing data they provide! 

It is a false sense of security to apply these solutions in isolation. The data must be handled, prioritized and acted upon. 

Data in isolation is simply information or knowledge. How do companies turn this knowledge into power? How do companies sort the false positives from the real issues?

Continuous Security

The move to a real-time, monitored risk posture is the CISO’s Shangri La. Rather than spending time wading through information from multiple sources on spreadsheets and lists, and napkins, your C1Risk integrated risk management platform transforms your data into prioritized, actionable analytics that can be used to proactively improve the business. 

Now, your firehose of data becomes a thirst-quenching, refreshing glass of the finest mineral water, enriching your information security program with the vitamin E (efficiency) and R (resiliency),  

ARCI Integration Methodology

C1Risk integrates Assets, related upstream and downstream Assets, Risks, Controls and Issues to bring together all of your relevant risk data on a single pane of glass. With an integrated GRC solution, you can see your risks against your assets, track actual issues by risk category and assets and match controls, policies and procedures to those risks and assets.

Further integration with Nessus, Nexpose or Qualys enables you to parse the data from these solutions, prioritize it and sort real, immediate threats or risks, from irrelevant or acceptable risks. 

Similarly, your third party monitoring tools not only give you an insight into your supply chain security, they help guide security review, the type of questions and information that you might require from your vendors prior to and during an engagement. 

Compliance Efficiencies: A bi-product of integrated risk management are subsequent efficiencies for compliance teams and overall information security governance. 

Previous
Previous

Understanding Governance, Risk and Compliance (GRC)

Next
Next

Separation of Duty: A Case Study on the Value-add of Internal Audits