Data Driven Decision-Making in Cybersecurity & Risk Management Part II

Publish date:

Securing the organisation by empowering decision-makers with relevant and understandable information

This is Part II of a II part series. Link to the previous blog post can be found here.

Having defined what good reporting looks like in cyber security and risk management using the DIBB framework as an example, the steps to achieve it in your organisation are now outlined in this blog post.

Every organisation’s context is different, which may affect how you implement the steps outlined below. However, the 5-step approach is designed to be flexible guidance rather than prescriptive instruction.

A 5-step approach to data-driven decision-making in cyber security and risk management

 Enabling your cyber security function to make fact-driven decisions in a formalised and therefore repeatable way takes time and investment. It’s a gradual, iterative development of your team’s capabilities and coverage of insights across all areas of your cyber security programme [Figure 1].

Figure 1 : 5 step approach. Source Capgemini Invent
Figure 1 : 5 step approach. Source Capgemini Invent

Step 1: Identify your key security concerns

You need to ensure that whatever you are reporting on is driven by your organisation’s priority concerns. Ideally, a good place to start is with the organisation’s top enterprise security risks. These have already been identified, analysed and prioritised by the risk function. However, for organisations that do not have that level of maturity for risk management, simple focus interviews with senior leaders and accountable risk owners should be your starting point. Understanding their top security concerns will give you a perspective on where more effective decision-making can be applied first.

Step 2: Work out which data is required to address the concerns

Adopting a kill chain approach to understand a particular type of threat is a key step when determining the data you will require. The cyber kill chain allows you to understand how a given threat will play out in your organisation, from early reconnaissance through to achieving an outcome. By mapping controls against each step in the kill chain, you can then determine whether these controls, technical or otherwise, are able to generate data which you can utilise. The goal is to generate a real time view of how your controls are holding up against the threat, and this is a key component in effective cyber risk management.

Step 3: Develop your team’s decision-making capability

To make data-driven decisions in a scalable and sustainable way, you need to nurture your organisation’s capability. A data-driven decision-making capability is formed of 7 components [Figure 2].

Figure 2 Decision making capability overview. Source Capgemini Invent
Figure 2 Decision making capability overview. Source Capgemini Invent

The key in developing any capability is accepting that it won’t be perfect from the start. It doesn’t matter if at first your data analytics and visualisation platform is Microsoft Excel, it’s important that you first demonstrate value to the business and go from there. This will take time. There will be failures along the way. But, with persistence and by following your decision-making framework, you will see results.

Step 4: Operationalise your newly formed capability

After understanding the threat and applicable controls, generating data and investing in a capability, how do you put it all to use? It first starts with telling an understandable yet compelling story with the data. Metrics in isolation are useless; it’s more effective to contextualise security metrics using a funnel approach [Figure 3].

Figure 3 Operationalising decision-making using a funnel approach to metrics. Source Capgemini Invent
Figure 3 Operationalising decision-making using a funnel approach to metrics. Source Capgemini Invent

In the example, controls are mapped to each stage in the ransomware email kill chain, and these controls are used to generate metrics i.e. number of emails blocked by filters, number of suspected ransomware emails reported, number of endpoints found to have ransomware. By taking this funnel approach, you can clearly see how effective controls are performing at each stage of the threat’s kill chain. This view can help to quantify risk scores and, more practically, identify weaknesses or inefficiencies in your control set-up. In the context of DIBB: develop a series of beliefs which can then be turned into measurable bets.

Step 5: Iterate and improve

At this point, your focus should be on making gradual improvements to the scope of the information you report on, as well as the decision-making capability as whole. This could mean addressing the next top risk or concern, gaining access to new data sets or purchasing a more advanced data platform.

Final thoughts

The challenge organisations face when managing cyber risk is being able to articulate what many consider to be esoteric and technical issues. The DIBB framework and 5 step approach outlined in this series can help overcome that challenge, through telling compelling stories with data that go on to have a measurable impact to cyber risk levels.

 

This blog post series was published to compliment a talk presented by Capgemini Invent at the Information Security Forum World Congress 2020. If you want to reach out for further information, please get in touch with Dan Harrison or Charli Douglas .

 

Author


Dan HarrisonDan Harrison

Related Posts

Cybersecurity

More Data May Mean More Problems

Date icon October 6, 2021

When it comes to keeping data, “Mo’ Data, Mo’ Problems”

Cybersecurity

More Data May Mean More Problems

Date icon October 6, 2021

When it comes to keeping data, “Mo’ Data, Mo’ Problems”

Cybersecurity

Cybersecurity: the linchpin of sustainable infrastructure

Date icon July 7, 2021

It’s critical that infrastructure organisations mitigate these risks by placing cybersecurity...