Security Data Analytics and Reporting: Organizational requirements

SDAR: Core SeriesCore Series
Written By Rhonald John Rose

In SDAR Part 4, we identified the internal stakeholders that have an interest in the cybersecurity programs that an organization has. This article will focus on how SDAR expectations and requirements differ, based on organizational type.

Organizational impact

Every organization has its own unique expectations for its security reporting. By clearly outlining what its expectations are, any given organization can then shape its monitoring and reporting accordingly, and ultimately select appropriate metrics to track. Having this awareness is also crucial for designing a cybersecurity strategy, but that is a subject for a future article series. 

Note: Our team here at Akrogoniaios Technologies is preparing to launch such a toolkit by the end of this SDAR series. It will contain a broad range of tools, metrics and learning resources that organizations or individuals can use to finetune their current security reporting systems or build new ones..

Each stakeholder has different responsibilities and reporting expectations to adhere to. In this article, I will demonstrate these variances by comparing and contrasting the cybersecurity requirements  and viewpoints of publicly listed and private companies.

Publicly listed companies

Despite the fact that it’s standard to have a security roadmap based on already established cybersecurity practices and standards, an organization’s vision, mission, objectives and stakeholders ultimately affect the priority and the maturity of its security programs and thus, have an impact on how security controls are being implemented, monitored and reported. In the U.S., a publicly listed company’s priority is to ensure it complies with SEC requirements and other government and regulatory boards — the SEC places a great emphasis on incident reporting and disclosure of risks to investors. This focus is usually enforced by regulatory boards in other regions around the world as well. Cybersecurity risks and security incidents may also have a broad impact on a company’s financial statements, depending on the nature and severity of the potential or actual incident. 

This regulatory oversight typically drives organizational IT strategy and hence, the cybersecurity strategy as well. An organization’s mission and vision also result in complementary security programs or controls such as identity, access management and data loss prevention.

Within organizations, the different needs of stakeholders also dictates the type of reports that are required. Board of directors will be most concerned with tracking cybersecurity risks and controls. An organization’s GRC team (Governance, Risk Management and Compliance) usually focuses on auditing information systems and ensuring regulatory compliance. Directors will typically look to score cards, maturity assessments, audit reports and performance reports for insight into their organizations’ security status.

Figure 01: Depending on the country and the local regulations, security monitoring and reporting requirements could be stringent. This figure highlights some of the metrics that publicly listed companies are typically expected to track.

Publicly listed companies’ high-level expectations of their SDAR systems include the ability to:

  • monitor communication channels such as e-mail, messaging and telecommunications to maintain cyber hygiene and track indicators of potential compromises and security incidents

  • monitor their IT assets lifecycle to ensure sufficient hygiene, and regulatory and reporting standards compliance are maintained

  • monitor their identity lifecycle to ensure that there are no compromised identities or devices

  • monitor internal access to Information and IT Components

  • monitor the flow of information within the organization and outside, to control access to the information 

  • monitor and detect threats to the IT infrastructure from malware, ransomware and other persistent threats

  • ensure that IT Information assets are patched for vulnerabilities

Private companies

For non profit, owner-managed or family-owned organizations, their security strategy is based on the board of directors’ security knowledge , and regulatory compliance  or legislative requirements such as privacy protection, anti-spam law, HIPAA, PCI and FOIP. Unless the organization  is in a regulated field such as engineering, oil and gas, energy, banking or health care, its security strategy will place heavy emphasis on controlling the flow of information and rely on the board of directors to provide direction. Such organizations might adopt an international standard for their security strategy, but usually their security strategy will be less mature than their public counterparts.

In a non-regulated or non-profit organization, security is an extension of IT. The same is true for a private company operating in a regulated field, unless it is a multinational corporation and has a bigger appetite for cybersecurity maturity in secure use of technology. In a regulated field, the security strategy will be driven part by regulatory and legislative requirements and part by the need of the organization.

Figure 02: Security monitoring and reporting depends partly on the industry specific regulations, local laws and the business’ needs. This figure highlights some of the metrics private companies and nonprofits track.

A private company’s high level expectations for security monitoring and reporting include the ability to:

  • monitor communication channels such as e-mail, messaging and telecommunications for hygiene, indication of potential compromise and security incidents

  • monitor their IT assets life cycle for cyber hygiene and compliance with industry regulators or internal security standards

  • monitor internal access to devices and infrastructure components

  • monitor and detect threats to their IT infrastructure from malware, ransomware and other persistent threats

  • ensure IT Information assets are patched for their vulnerabilities

  • compliance of technical controls against security framework

A large or multinational private company operating in a highly regulated field would have a security strategy that is very close to a medium to large public listed company. Overall, the requirements for security change from organization to organization, depending on the industry and ownership.

Compliance monitoring in SDAR

Implementing compliance monitoring for technical controls requires a very mature compliance monitoring solution and many vendors ship individual products or modules on top of their current products to address this need. This subject is beyond the scope of this article, but Akrogoniaias Technologies' upcoming toolkit will include information on this. 

Conclusion

Organizational type and the associated industry impacts overall security strategy and requirements. SDAR Part 6 will discuss another critical aspect for effective security reporting: monitoring and reporting domains.

Rhonald John Rose https://www.akrogoniaios.com
Previous

Security Data Analytics and Reporting: Monitoring and reporting domains
Next

Security Data Analytics and Reporting: Stakeholders