A large group of security leaders and CISOs convened to tackle a common challenge: Boiling up mass amounts of data to usable security metrics that then can be translated to executives and boards. The CISO Forum was facilitated by Tim Howard, of Fortify Experts.  Tim set the stage by emphasizing the need for an insightful discussion on this critical topic.

Tim introduced, Sai Iyer, the Chief Information Security Officer (CISO) at Ziff Davis, a technology company with over 30 digital media and tech brands. Sai detailed the problems his team faced, including a deluge of security data from diverse sources and the manual effort required to consolidate it. Emphasizing the need for a comprehensive solution, Sai outlined their journey towards creating a centralized data aggregation system.

Sai explained the initial challenges of managing a diverse technology landscape, with multiple business units having autonomous control over their stacks. The absence of a unified asset inventory and the back-and-forth nature of manual report generation consumed valuable time and effort. To address these issues, Sai and his team devised a multi-step strategy.

The first step involved establishing a robust asset inventory, leveraging developer resources to extract accurate data from their different cloud and on-prem environments. This data was crucial for understanding the landscape of security tools coverage across the organization. Sai described how they begged and borrowed resources to develop a system that pulled this information through APIs into a central data lake.

To streamline the process, they explored commercial solutions and eventually settled on a tool that was also used by several of the other security leaders in the forum. This tool acted as a super aggregator, connecting seamlessly with various security systems and pulling the required data. Its ability to run queries and surface relevant information was particularly useful. Sai emphasized finding a vendor who was responsive to your needs and had a great customer success team.

Their general architecture is represented here:

For more details on the vendors used, contact Tim Howard.

With the data aggregation issue solved, Sai moved on to the front-end dashboarding aspect. They initially used Google Data Studio but later transitioned to a more sophisticated dashboarding tool. This tool visualizes the aggregated data, allowing users to export it in various formats. Moreover, it facilitated the creation of role-based access, ensuring that different stakeholders could access the specific information pertinent to them.

The system was designed to be transparent, eliminating the ‘gotcha’ element. It focused on providing the latest data, reducing the time lag between data generation and data consumption. The team also integrated the system with their ticketing platform, enabling seamless information flow and accountability.

Sai shared mockups of the dashboards, emphasizing the use of various chart types and the ability to export data. The metrics included tool coverage, asset management, and vulnerability management, presented in a way that facilitated meaningful interpretations. He also highlighted the potential for adding additional data fields and the capability to assign internal priority to vulnerabilities.

Several security leaders shared their insights and experiences. They shared that the challenge in communicating with the Board is translating the operational data into risk metrics.  One recommendation was to review the 16 Cybersecurity Risks Gartner recommends measuring.

One financial sector CISO emphasized the challenge of communicating security metrics to business unit leaders and the subsequent need to translate them into risk metrics.

Another security leader shared their organization’s approach, which involved using Excel to create a high-level dashboard for the board. This dashboard offered a snapshot of the security program’s health. This leader also emphasized the importance of simplicity when presenting to non-technical stakeholders.

A GRC leader spoke about the tool they were developing in partnership with another vendor, which focused on compliance metrics. The tool helped identify critical vendors and assess the status of their assessments. They are faced with the challenge of catering to different managers’ preferences for specific metrics. 

One leader brought a unique perspective, suggesting a matrix that considered people, systems, and threats. Also emphasized was the need to align security with the business’s resilience and the importance of executive buy-in. 

The discussion highlighted various approaches, challenges, and successes in presenting security metrics. Tim Howard emphasized the value of such knowledge-sharing sessions and encouraged participants to provide feedback and suggest topics for future meetings. The meeting concluded with a sense of accomplishment, CISOs and security leaders gaining valuable insights into tackling a challenge that is prevalent in the industry.

Overall, the meeting was a platform for sharing innovative solutions and a great opportunity for security professionals to learn from each other’s experiences, ultimately enhancing their own security posture.

In Summary:

Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice on how to leap your security program forward. If you are a security leader and would like to participate in our monthly CISO Forums where we discuss valuable and actionable information as well as best practices and challenges, please register here.

Join us in March as we continue to dissect and discuss the evolving landscape of cybersecurity.

What: CISO Executive Round Table – Eliminating End User Threats

Details:  85% of malware & ransomware come in through the endpoints.  We will discuss new ways to reduce or eliminate that threat. 

When: April 18, 2024, 01:00 PM Central Time

Where: Registration @ Zoom: https://us02web.zoom.us/meeting/register/tZ0vf-qhpjouGtL3Qz07FxMP-NFyD9wb79Y0 

About Tim Howard

Tim Howard is the founder of 5 technology firms including Fortify Experts which helps companies create higher-performing teams through People (Executive Search and vCISO/Advisory consulting), Process (NIST-based 3rd party security assessments and Leadership Coaching), and Technology (security simplifying solutions).

How I can help you:

  1. Join over 30,000 People Getting Free Security Leadership Improvement Advice Follow me on LinkedIn. www.linkedin.com/in/timhoward
  2. If you want to raise the expertise or performance level of your security team, Contact me.
  3. If you don’t have a Clear Picture of Your Cybersecurity Maturity Level or Need a Strategic Improvement Roadmap Contact me.
  4. Join our interactive Monthly CISO Forums.

Leave a comment