Keeping pace with the cyber threat landscape through continuous control monitoring
The evolving threat landscape is the cornerstone of any discussion on cyber risk – and it appears to be evolving more rapidly now than ever before. The COVID-19 pandemic coupled with continuing geopolitical tensions have created the perfect environment for cybercriminals to flourish, as evidenced by a reported 485% year on year increase in ransomware in 2020. The recent Colonial Pipeline hack in May reiterated just how disruptive ransomware attacks can be, and the vast sums of money criminals are receiving as ransoms mean it is likely to remain a threat for years to come. Beyond ransomware, the fallout from nation state linked cyberattacks (such as the 2020 SolarWinds hack and 2021 Microsoft Exchange Email server hack) means that cybercriminals have increasingly more sophisticated and powerful tools at their disposal. It comes as no surprise that an estimated 70% of UK financial firms suffered cyberattacks in 2020, and firms must be more vigilant now than ever before about how they manage their defences.
However, this does not necessarily mean that firms need a complete overhaul of their cyber controls, nor does it mean they need to invest in a set of shiny new tools. It simply means that the way in which firms manage their cyber controls must be robust enough to keep pace with the rate of change. This also enables firms to demonstrate to increasingly scrutinous regulators that they are in control of their cyber (and operational) risk.
Cyber risk, as with other types of operational risk, is traditionally managed in line with three broad stages:
- Identify & Assess: Establish organisational understanding and articulation of the risk that is faced
- Mitigate & Manage: Define and implement the activities that will bring risk in line with appetite
- Monitor & Report: Continuously monitor risks and controls supported by regular reporting to enable proactive mitigation actions
The activities involved in the identification and mitigation stages are naturally more static and discrete. While they are of course critical components of any risk management framework, they cannot feasibly be completed on an ongoing basis – and may leave firms vulnerable to the rapid evolution of the threat landscape if dependency on the first two stages too substantial.
It’s therefore crucial that firms focus their attention on continuous monitoring of key metrics when it comes to cyber controls, including, specifically:
- Key Risk Indicators (KRI): measure risk exposure to specific categories of cyber risk
- Key Control Indicators (KCI): measure the effectiveness of deployed cyber controls to mitigate and manage risk
- Key Performance Indicators (KPI): measure success of cybersecurity programs in supporting business objectives
It is this monitoring that, when supported with the necessary reporting and escalation mechanisms, will enable the swift responses that the cyber-threat landscape demands.
Building blocks of a successful Cyber Control Monitoring capability
From our experience of cyber controls management, we have identified 6 key elements across people, process and technology that underpin effective continuous control monitoring:
- Leadership Buy-in. Gaining (and maintaining) endorsement from senior leadership must be the first step, as it will help to enable budget and resources required to establish and sustain a monitoring capability in the first instance. Communicating the value of monitoring activities will also be made easier if it comes from the top, as it will institute accountability. The knock-on effect is improved cooperation from stakeholders involved in the monitoring process, and an increase in proactive decision making. Last but not least, it introduces senior governance and oversight to ensure that the most critical weaknesses in monitored controls can be made visible to the business and appropriately handled.
- Clear Ownership. The benefits of leadership buy-in can be reinforced by ensuring that an accountable owner is defined for all controls – without any ambiguity. By putting the onus on these individuals, accountability is driven more widely throughout the organisation, which will encourage quicker and better inputs to monitoring teams, as well as earlier identification and remediation of control deficiencies.
- Control Monitoring Plans. CMPs are the core of any monitoring capability. They specify the activities (including who, what, when) that will be used to proactively and reactively identify any changes in control effectiveness. Each activity needs to be evidenced, with the nature and location of that evidence specified in the CMP to ensure an audit trail and support regulatory inquiries. Perhaps the most vital component of CMPs is metrics – such as the KCIs, KRIs and KPIs mentioned previously. Where reactivity is the aim, the focus should be on indicators that are leading over lagging, and on having defined and validated thresholds that will reliably signal when the control is underperforming. Combine this with periodic reviews of controls to proactively gain insight into their effectiveness and allow for early detection of threats and potential security incidents.
- Reporting and Remediation. Monitoring can only be a valuable function if it elicits a suitable response. The pathway for communicating the results of control monitoring activities must therefore be well defined and exercised, taking into account the level of material risk associated with any deficiencies. In doing so, risk can be the driving factor for determining remediation actions, therefore allowing responses to be proportionate and appropriately prioritised. Once agreed, actions need to then be driven to closure. Assigning accountable owners and consistently tracking progress is the key to doing this, and will be more effective when supported by senior leadership.
- System of Record. To best enable your people and processes, information associated with control monitoring (including plans, results and metrics) need to be recorded and managed using a single, centralised system. Not only does this reduce the risk of error, disputes and duplication, but it also significantly reduces the administrative overhead for teams if they no longer have to maintain folder upon folder of spreadsheets. Even better if that system also supports (or at least integrates with) the other stages of the risk management framework. To take even further advantage, information in the system of record should be consolidated into customisable dashboards so that key metrics can be visualised and used to inform decision making.
- Automation. Wherever feasible, a shift should be made from manual to automated monitoring processes. Although automation has been a key talking point in cyber risk for several years, a 2020 ORX survey found that 61% of cyber control indicators are still manually operated, indicating that there are significant gains still to be made in this area. Reporting of metrics can also be a tedious and time-consuming process when performed manually rather than automated (such as through self-service and dynamic dashboards). By using automation to reduce the burden on people, their time and attention can be freed up for less menial tasks, while simultaneously reducing human error and process time. This all ultimately serves to improve control effectiveness and introduce agility into controls management.
All indicates that the cyber threat landscape will continue to evolve at a rapid pace. Therefore, adopting these cyber control monitoring elements will provide firms with a strong foundation for sustainable and proactive (as well as reactive) control monitoring capabilities. Continuous assessment and improvement of monitoring mechanisms is also needed to ensure they are kept up to date and remain effective. But assuming this happens, these capabilities should enable firms to stay abreast of the latest developments as the landscape evolves and new threats come to the fore.