What’s the Half-Life of Cyber Risk Compliance?

by | Apr 11, 2016

To understand the value of your organization’s cyber risk assessment, it’s important to understand how long it will remain accurate.

In a recent article entitled “Is Compliance Bad for Security?” Edd Hardy of CNS accurately describes the relationship between compliance and security:

“Being secure can help with achieving compliance; in fact, compliance can be a by-product of security, but security is not automatically a by-product of compliance. You can be compliant without being secure.”

Many companies opt to hire an external, independent auditor to conduct an in-depth cybersecurity assessment, a process that often occurs only once a year (if that). Typically a senior consultant will assess high-level organizational policies related to cybersecurity, followed by a detailed analysis from more junior staff. The voluminous information gathered at the lower level is transformed into a well-documented report with an executive summary that’s read by the board.

From the board’s perspective, an in-depth assessment of policy and compliance is better than a raft of statistics and technical cybersecurity metrics. But if the board needs to show that they were actively engaged in overseeing cyber risk, this box-checking focus on compliance may not be enough.

What is the half-life of this type of security assessment? The obvious answer is 6 months, but the true answer is usually a much smaller time period.

“If you consider the number of changes a large organization makes on a weekly basis, the fact it was audited six months ago cannot possibly indicate that today it is definitely still compliant with the standard it was audited against.”

An alternative to annual point-in-time audits is to conduct an initial assessment that allows for continuous, ongoing monitoring. Staying apprised of status by putting human auditors on the ground is a costly proposition. Its expense limits its use to only the largest companies, and even then, the ROI is questionable.

An automated or semi-automated system can be integrated into daily operations. Automated methods evaluate two broad types of intelligence – threat intelligence and defense intelligence – to get a clear picture of cyber risk.

Threat intelligence is an attempt to understand the “threat landscape” in detail. It measures the organization’s ability to stand up against a list of 500,000 potential attackers that is constantly evolving. While threat intelligence provides immediate feedback, its value starts to decay almost as soon as it’s complete, giving it a much shorter half-life than a defense intelligence assessment.

Defense intelligence refers to knowledge about the policies, procedures, people, and technology that enable a company to withstand cyber attacks. When assessing defenses against cyber standards, we measure internal controls that represent processes and assets managed by the organization, as opposed to more dynamic threat intelligence scenarios. That means assessing cyber risk against standards yields a much longer half-life for the results.

“Annual audits aren’t enough: quarterly is better, monthly beats quarterly, but real time visibility can be achieved. Pass/fail must be replaced with more granular auditing of the maturity level with respect to each domain of compliance. And finally, I absolutely agree that having a compliance framework won’t guarantee success, but having one versus not can make a huge difference in outcomes.” 

Given their longer half-life, are measures of defense intelligence preferable to scoring threat vulnerability? Yes, although the best guidance points to using both, including compliance with the major cyber risk standards that match the organization’s profile.  In the U.S., that would include the NIST Framework and C2M2 as the foundation, with additional standards according to the type of operations: HIPAA, PCI, ISO, FFIEC, and FERPA are a few. Threat intelligence to measure external vulnerability can subsequently validate the standards-based measures and point out any weaknesses.

We agree with Edd Hardy that real-time monitoring against standards is highly preferable. Our customers have shown that real-time continual assessment of the 300+ controls of NIST combined with C2M2 is quite feasible.

[For more thoughts on the subject, I highly recommend reading Edd Hardy’s article.]

Be notified of new Journal entries in your email box or Follow us on Twitter.