Time to Rethink Our Approach
to Cyber Risk Management
By: Rob Eggebrecht
Time to Rethink Our Approach
to Cyber Risk Management
By: Rob Eggebrecht
New Company. New way of doing things.
The Cloudrise team has decided to take on the problem of solving major gaps in the world of cyber risk management, otherwise dubbed as “data risk”. Our focus? Reduce risk surrounding regulatory requirements, compliance, and the business in general. Interpret it as you will, but essentially, we are shifting focus to the non-technical teams that are responsible for the innovation, development, delivery, support, accounting, and associated risk management of the business. In a nutshell, they drive revenue, control costs, and generate profits!
Below are a handful of the problems the team has been tackling since we first started working with Vericept (arguably the first DLP tool) 17+ years ago. Yep, we are getting a little long in the tooth, but we have unparalleled experience in this space, a world-class team, and a fresh canvas on which to paint our new masterpiece.
Setting the stage
First, let us quickly set the framework for this discussion. In my humble opinion there are two unique worlds of cyber security: Threat Management & Cyber Operations vs. Business-Centric Cyber Risk Management. During this discussion I am going to delve into the differences between the two and why I believe our approach at Cloudrise is different. Don’t worry – I am going to keep this brief as no one wants to read another wordy pontification of the world of cyber security! Additionally, this will be commercial/enterprise centric as I am not a government expert on nation-state cyber warfare.
Threat management & cyber operations
Cyber security programs focused on threat management and cyber operations typically are technology-driven to protect infrastructure, networks, and applications. They are managed by highly skilled and specialized cyber-threat professionals who monitor and remediate via centralized security operations centers.
Their goal? Stop the bad guys from entering the environments, stealing information, and trashing the organization’s ability to compute and operate.
The toolkit? Log aggregation/management, SIEM, UEBA, network analysis and endpoint controls.
Internal stakeholders? Typically, technical teams and individuals, such as the CISO, CSTO, Infrastructure, Network, Endpoint, Threat, and AppSec teams.
Business-centric cyber risk management
Cyber security programs focused on business-centric cyber risk are predominantly driven by national, regional or industry regulations like GLBA, HIPAA, GDPR, and CCPA…and the list will continue to evolve. Data risk management embraces the vast array of both cyber technology and business requirements, or what I like to call “the plumbing”, to address audit concerns, regulatory inquiries, and quantifiable business visibility of cyber/data risk (Let’s face it, this is an expense that needs to be managed).
The goal? Manage business risk utilizing data protection and privacy platforms, while enabling technology and business stakeholders to gain shared visibility into their risk.
The toolkit? DLP, CASB, privacy, trust and consent management platforms.
Internal stakeholders? Typically includes technical and business teams, such as CPO, CDO, Data Protection, Risk Management, Compliance, and Audit.
Challenges with legacy approaches to cyber risk management
1. Too much redundant technology + too little consideration for business requirements
Here is a scenario we often see: There is a regulatory/compliance requirement, or some justification by the business to have a control in place to mitigate risk. The CISO is brought to the table, tools are assessed, and the technology vendors start circling like wolves. You are told there is “no need for extra staff”, their technology will fully and seamlessly integrate with you current solutions (whatever that means), and it might even wash your car and pick up the groceries!!
Chances are that you may already have the tools required. In most cases we find these tools are grossly underutilized due to 1) lack of/oversubscribed staff properly focused on the technology 2) point-in-time program management, meaning requirements are focused at the time of implementation, but there is no real sustainable plan for operating the platform on an ongoing basis and 3) there is little to no thought or available time dedicated to orchestrating multiple tools and leveraging automation to achieve the desired outcomes.
This results in siloed solutions, high cost of operations, frustrated staff, and inaccurate results with variable frequency. At Cloudrise, we challenge ourselves to orchestrate the available tools, and automate the operations to deliver a highly accurate, reliable, and cost-effective outcomes to the intended audience.
2. Time to challenge the “People Equation”
Many of the team members at Cloudrise built the first managed data loss prevention business in the world, operated it from 2002 thru 2016, and then completed a two-year tour-of-duty in one of the leading Big 4 consulting practices helping to evolve their data risk business. To be blunt, these models were outdated before the current social and economic environment and in my humble opinion, these firms should feel like a dinosaur looking at a very large glowing rock approaching over the horizon. We believe it is time to challenge what you are paying your data risk/data protection/privacy service providers for:
Assessments are typically performed by expensive consultants, who spend months onsite aggregating data in Excel, and dumping the results into an 80 slide PowerPoint. By the time the entire process is completed, the business risk has evolved so quickly the entire engagement is dated, inaccurate and most importantly, unactionable.
Technology implementations of data/privacy centric platforms are perhaps one of the most frustrating engagements for customers. Most of these engagements are driven by technologists, who have performed minimal requirements gathering and acceptance testing with the business. Compounding the problem is this constant “point-in-time” engagement model, typically linked to the outdated assessment. So, when coupled with constrained staffing, lack of program continuity and tight budgets, the vicious cycle of never-ending “re-implementations” or “platform optimizations” becomes an expensive and highly ineffective reality. Translated: Hamster wheel of professional services engagements.
Managed Services for data protection platforms – two flavors, both poor options:
- Traditional MSSPs have always steered clear of taking on DLP, UEBA, CASB, and the emerging world of privacy/trust and compliance platforms from a fully “managed” perspective. They will gladly dump the logs into their proprietary SIEM or third-party log aggregator, but unfortunately, most true cyber-SOC operations are not designed to consume rich contextual data from the data-centric technology platforms. Buyer beware of any of these traditional MSSP types of services: kick the tires prior to contracting as you may feel like slashing them later down the road!
- Remote staff management / staff augmentation providers, ranging from boutiques to massive global consulting firms, typically manage their largest controllable cost through staffing…which can have a huge impact on their quality of service. These providers are plagued with the problems of price arbitrage-driven labor models and high turnover, which result in erratic service levels and inconsistent results. Every day these providers fight the never-ending headwinds of a cyber labor market that is already short on resources.
At Cloudrise our approach can dramatically reduce costs via our Security Process Automation service, our version of “Digital Transformation”. The reality is you will need people to define targeted use cases, gather business requirements, understand the technology available to orchestrate, and code the automation. However, once your technology is orchestrated and processes are automated, your team can focus on managing the business, while Cloudrise Security Process Automation services will help you reduce headcount and inefficient and manual processes.
3. Applying orchestration and automation
Discussing orchestration is like opening a can of worms, as there are so many interpretations and flavors. At first mention of orchestration, threat-centric cyber professionals like to show off the newest tool in their arsenal: Security Orchestration and Automation Response (SOAR) platforms. These tools are designed to address optimizing the world of event detection, response, management, and remediation. The SOAR platforms rarely deliver the vision promised, as the “playbooks” are like many cyber tools – designed to address a common set of problems across as many platforms as possible. Our analogy? How many organizations have out-of-the-box DLP, Proxy, Email Gateway and other platforms that truly require zero policy/playbook tuning?
What do we find when we audit SOAR platforms? They are typically grossly underutilized tools requiring significant programming expertise to truly map the orchestration of systems and deliver relevant automation. If you have a SOAR platform, I challenge you to this exercise:
- Audit the playbooks and determine if they integrate with non-cyber based platforms like HR systems, health information systems, the myriad of banking processing systems, reporting platforms, and communication platforms
- Has the platform been leveraged to solve business-centric requirements?
- Did compliance, privacy and relevant business unit leads have input into the requirements, and are they recipients of the playbook output?
In most cases, SOAR platforms are highly focused on the threat-centric world and are rarely leveraged to address the requirements of business-centric data risk management. Additionally, there is so much manual time and labor spent maintaining data and privacy-centric platforms that require constant care and feeding, that automation is a no-brainer. Combine that with the overwhelming amount of manual labor and processes used to generate accurate, reliable, and visually readable reporting to a diversified consumer of the information.
What better time to apply orchestration and automation technology, while partnering with a service provider who can design, build, implement, and manage the automation?
Our Approach: Business-centric security process automation
I get these questions all the time…So, Rob, what does Cloudrise really do? Why are you guys different? Why should we partner with Cloudrise?
All understandable questions for a 9-month old company, so here is a quick summary of our business model:
Security Process Assessment
We focus on enriching outputs by automating and orchestrating functions across data protection and privacy controls, applications, and reporting and visualization tools. This means we work with our customers to develop business-centric use cases, which revolve around the protection of Personal Identifiable Information (PII), Payment Card Industry (PCI) and additional select intellectual property that the customer wants better visibility into, as well as the ability to manage risk. Some organizations have an existing DLP, CASB, privacy/consent management, or Microsoft O365 platform and need a better way to operate the environment.
These engagements are short in duration, cost effective, and provide a blueprint for the desired state, which is to orchestrate as much currently embedded technology to solve the problem and then create automation to deliver highly reliable, scalable, and accurate outcomes addressing the targeted use cases.
In many cases we find the core data protection and privacy platforms’ native configurations are grossly underutilized or poorly configured, which results in a “squeaky wheel” in the overall orchestration, jeopardizing the effectiveness of the automation. Simply stated, once we know your desired state, we have teams that optimize the native platforms such as DLP, CASB, privacy and consent management, and the beast of Microsoft O365. The Cloudrise differentiator is the ability to leverage our proprietary playbooks, reducing the time to assess the platforms’ current configurations and implement optimized configurations via automation. These playbooks are built and maintained for numerous vendors and new ones can be built upon request.
Security Process Automation
Simply stated, we take the results from the Security Process Assessment and will provide your team with a “ready to build playbook blueprint”. From there, you have two options: utilizing the blueprint you can build the automation and manage it yourself or have Cloudrise build it. Want us to manage it too? Read on…
Managed Security Process Automation
For those who do not have the means to develop automation, the resources to implement and operate it, or the programing staff to design, build and stitch together the necessary orchestration between disparate systems, Cloudrise can help, We offer a fully managed service that drives increased efficiency, consistency, and scalability. Cloudrise will manage the automation, making changes as the business environment changes, including development of new integrations and playbooks.
It is not sexy work, but our approach of applying orchestration and automation to the management of DLP, CASB, Office 365, security and consent management, and privacy platforms is highly-cost effective and delivers exceptional health check and functionality monitoring and management. We are not triaging incidents, and our automation provides higher accuracy, operates 24×7, does not require PTO, and we are not passing through overhead costs to our clients.
To sum it up, Cloudrise likes to do things a bit differently and we are taking the approach to cyber risk management by addressing business risk. We are tackling this challenge in the marketplace by utilizing data protection and privacy platforms to enable both technology and business stakeholders to gain shared visibility into their risk. We are a team of seasoned experts challenging the status quo in the areas of data privacy and data protection. At Cloudrise, you will find massive amounts of innovation and a relentless drive to help our customers achieve better outcomes, reduce risk, contain costs, and increase profits.
Thanks for taking time to read our first Blog! If you like our thoughts and approach, please contact us, help us pick another use case, and challenge us to solve the problem. Game on!