Ask any security manager how they currently analyze cyber security data. Chances are they’ll describe a mad dash of manual efforts that involve pulling volumes of disparate data together for either ad-hoc requests coming from upper management, or quarterly reports aimed to appease the board. The keyword here is “manual.”
In our recent study, “Reporting to the Board: Where CISOs and the Board are Missing the Mark,” 81 percent of IT and security executives admitted that they employ manually compiled spreadsheets to report data to the board. While it may not sound like a big deal, the effort that goes into putting these spreadsheets together combined with the extensive amount of siloed information needed, describes how inefficient and error prone the process can be.
The scene typically plays out as follows: A security manager gets a last-minute request to pull data, which, naturally, they have to ensure is accurate because it indicates that the security and risk organization has their act together.
A tremendous amount of time is spent on rushing to collaborate with tool owners to access the siloed information they need. Unfortunately, the security manager is typically left with cut and dry metrics that aren’t very useful to their business peers. Without a traceable method that accesses the information, the data collected results in one-off numbers that may not correlate to the previous reports the security manager submitted. At times, this may force them to manually massage the numbers to tell a story that coincides with previous reports.
Feeling compelled to ensure their reports don’t seem disconnected, there’s a pressure to adjust the numbers to tell a story. But given the siloed data they’ve had to compile manually, there’s plenty of room for error.
Security tools today aren’t helping the cause because they act like silos for this information. Reporting is commonly an afterthought for point product tools, which cause security managers to access these different silos of information in an attempt stitch together a story that describes the organization’s cyber risk posture.
Simply put; the way security practitioners analyze cyber security data today is broken. A tremendous amount of resources is spent manually compiling spreadsheets and putting together static PowerPoint presentations that may not tell the complete story of a company’s cyber risk appetite.
Based on recent discussions we’ve had with security leaders we estimate that security managers can spend anywhere from 25 to 40 percent of their time dedicated toward running manual reports.
To overcome this challenge, security leaders must arm their teams with the ability to automate the cyber security reporting process. By doing so, the security and risk organization can create a system that will deliver cyber risk insights in real-time, and do away with the distracting reporting burden. This gets their team out of the business of manual reporting, and into the business of being proactive security practitioners.