Security Data Analytics and Reporting, Developing reporting viewpoints: Board of Directors

So far in our SDAR series, we have identified the stakeholders, business drivers and the organizational requirements for security data analytics and reporting. Over the next few articles, we will demonstrate how organizational requirements, and monitoring and reporting domains can provide stakeholders with reporting viewpoints that will help them (and the organization) build a robust SDAR system. To walk you through the steps, we will use an imaginary publicly listed software engineering and Business to consumer product company to establish different stakeholders viewpoints. Let’s call this company Akrogoniaios Technologies Corp (ATC).

Security strategy

At ATC, the board of directors’ overall security strategy is driven by two main goals: 

• Maintain regulatory compliance

• Prevent data leakage

The scope of regulatory compliance requirements include a number of things such as corporate governance, human resources and health & safety. But our focus in this article is only on security compliance requirements for SDAR.  To achieve sufficient compliance, ATC’s  audit will focus on overall security governance, business continuity, incident management and other management controls (apart from the technical ones). Compliance requirements related to any security standard (such as ISO 27001) mandate that some of the security controls be present in every IT system that the organization has. 

Additionally, ATC places heavy emphasis on preventing confidential or restricted information (hereafter referred to as classified information ‘classified’) from leaking  from the organization. ATC offers its staff flexible working conditions (including the ability to work from home) and as such they ensure information remains classified by using SaaS products for emails and collaboration ⁠— software is licensed by subscription basis.  

The required compliance maturity stipulated by industry regulators will determine the depth of security strategy that the organization needs, in addition to steps taken in response to specific organizational requirements (like preventing data leakage). For an organization to sufficiently comply with mandatory and recommended technical controls (based on ISO 27001 and/or NIST CSF standards), it must be mature in the the following areas:

• Firewall controls

• Network segmentation (sometimes microsegmentation, if the organization adapts zero trust model)

• Endpoint agents such as antivirus, malware prevention and end point firewalls

• Identity and access management that includes privileged access management

• Information classification and lifecycle management

• Web application firewall

• DDoS Protection

• Vulnerability management

• Geofencing

• Data loss prevention controls such as full disk encryption and USB blockers

• Traffic encryption

• Guest wireless segregation and protection

• Data anonymisation on non-production environments

• Advanced threat protection on emails and other communications

In ATC’s case, their need to prevent information getting leaked and to comply with regulatory requirements mean they must add data leakage prevention to the above list.

Viewpoints

A Viewpoint is an architectural term in the Information Technology world that is used to describe the stakeholders and their concerns for constructing organizational views on technology. In the case of SDAR, a viewpoint is a reporting view for an organization’s stakeholders, based on their stakeholders’ concerns. It contains IT components, the target audience’s expectations and a presentation that the target audience can understand. Each viewpoint addresses the concerns of its stakeholders using the same information, but is presented in a way that’s optimized for its target audience. We will not define viewpoints for the external stakeholders since the internal stakeholders are responsible to address the concerns of the external stakeholders.

Board of Directors

A board of directors’ primary responsibility in a publicly listed company is to provide value to  shareholders. Hence, the directors take a special interest in monitoring any risks that arise as crucial business technologies are implemented. Once risks have been identified, the board plays an advisory role in resolving them. To succeed in this responsibility, the board asks high-level questions like:

• How well is the organization complying with regulatory requirements?

• Are the organization’s information technology systems secure enough to be used when conducting business?

• Is the organization able to sufficiently secure critical information internally and effectively control any information that leaves the organization?

The above three questions make up the board of director’s SDAR viewpoint for technical controls. In an SDAR system, these controls can be split into three views: 

(1) Regulatory compliance 

(2) Security Posture  

(3) Data Leakage Prevention 

To assist the board in getting sufficient visibility for reporting, organizations need to consolidate large amounts of information from all information technology components, correlate them, normalize data if required, add any necessary context and then summarize all the above for the directors.

Note: The figures in the following sections are for illustrative purposes only and with respect to ATC’s imaginary business. Organizations building SDAR do not need to follow the examples provided in this article. Instead use these examples to inspire you as you build your own SDAR reporting structure. 

Regulatory compliance reporting

ATC also has a regulatory compliance view that helps the directors monitor compliance. It is split into three:

(1) Security compliance

(2) PCI compliance

(3) Privacy compliance. 

To create this view, the analysts  who are implementing SDAR must summarize and compare the information that is shortlisted for the report with the agreed upon set of controls to be implemented and then graphically represent the status of ATC’s compliance. Beyond that, it’s up to the team to determine if additional reports are necessary. However, even just those reports will be accompanied by subjective interpretations, so any organizations looking to streamline their compliance view for the directors may want to keep additional reports to a minimum.

Each dashboard item of ATC’s IT system can be used to generate various kinds of reports that  are relevant to the board of directors’ security reporting. 

The rationale behind automated reporting is to provide the board with fact-based information that will help them make decisions. By looking at these reports, the board understands whether management’s support for security programs is sufficient. If privacy compliance is less than ideal, say 80%, then the data classification and information protection programs will benefit from  additional support from management.

Security posture

The second concern of regulatory compliance reporting is whether the information technology of the organization is safe enough for the organization to conduct business. This concern is split into five reporting views:

(1) Security posture of the staff’s computing devices such as workstations, desktops, laptops and virtual desktop interfaces (VDI) 

(2) Security of email communications infrastructure

(3) remote work technologies security posture 

(4) Performance of IT & Security in handling security incidents 

(5) Security posture of the customer applications

The metrics that contribute to such consolidated, high level board reporting must be carefully selected to ensure they are relevant to the board of directors’ concerns. Implementing controls can be costly, so that alone is a good reason to customize implementation to organizational needs. As such, when calculating the percent of compliance it is only the directors' agreed upon controls that are referenced.

In our example, when ATC’s board of directors look at this chart, accompanied with a narrative, they gain a holistic understanding of their security maturity. This chart also helps the directors to ask the right questions to provide additional support to the organization, as needed. For example, when a director looks at the customer applications posture and inconsistencies in mitigating vulnerabilities per quarter, they may decide to outsource the mitigation activities, procure more manpower internally, buy a generous insurance policy or to generally prepare for any unforeseen cyberattacks in the future.

Data leakage prevention

One of the important concerns of the business, apart from regulatory compliance, is whether the organization is leaking sensitive information knowingly or unknowingly. This concern is divided into 4 categories and reported to the directors. They are: 

(1) Knowing the current state of information classification

(2) The ability to protect information and the information that are classified 

(3) Monitoring potentially sensitive information that exists outside the organization and 

(4) Monitoring the number of incidents related to information reported within the organization

The metrics for data leakage must be carefully selected and agreed upon before reports can be automated. As directors gain visibility into the information that's being shared outside the organization, they naturally  follow up and mandate reducing such transfers. And so as their visibility grows, leakage reduces.

The directors, when looking at the overall progress of the organization's ability to protect classified information, can determine whether it’s necessary to recommend increased efforts from the  committee responsible for overseeing day-to-day information management activities. Having the ability to track the use of classified information, and take action when required, gives the directors confidence in adopting cutting-edge technologies for the business to lower costs and increase revenue generation.

Conclusion

In this article, we discussed how organizational ownership and stakeholder requirements shape Cybersecurity strategy. Developing reporting viewpoints helps organizations deliver security reporting to the right audience. Directors viewpoints are provided by three reporting views: (1) regulatory compliance, (2) security posture of the organization and (3) data leakage prevention. Similarly, understanding the  board of director’s security requirements helps organizations define reporting views that are useful. When the directors get visibility into security programs addressing their concerns, they will be able to make confident decisions. In the next article, we will discuss the viewpoint of security executives.

For more information on viewpoints (including GRC, IT Leadership and Business Leadership), stay tuned for additional articles that will be included in our premium toolkits.