Chances are, your organisation is reasonably comfortable with how it manages cyber security risk. Because—let’s face it—we all know that cyber security risks are very real, and the consequences of a cyber security breach can be very serious and costly. Successful organisations—at least those that want to continue to be successful—are, more than ever before, taking cyber security very seriously at board level too.
So the days are gone when cyber security risk was managed by periodic—say annual—audits, for which the organisation had spent two months preparing by means of internal inspections and compliance checks.
Take the Payment Card Industry Data Security Standard, for example, with which huge numbers of organisations must comply. A very formalised standard, it requires trained assessors to make ongoing checks, and rigorously covers around 250 separate controls.
Simply put, if your organisation processes payments made by credit and debit cards, then compliance with it is mandatory. And the Payment Card Industry Data Security Standard is just one of many such cyber security standards, of course. In each case, organisations—yours among them, very probably—invest considerable resource in complying.
Better by design
But suppose that there was a better way of complying? A more rigorous, real-time way of managing and seeing cyber security risk? And a more cost effective way, yet one which delivers better and more secure outcomes?
You’d be interested in learning more, we’d guess.
Well, that better, more rigorous, more cost-effective, and more secure means of compliance now exists. Industry giants have been doing it for some time, albeit in a restricted and somewhat labour-intensive way.
Yet now, it’s available for firms of any size, large or small. As an automated, affordable managed service. It’s called Continuous Controls Monitoring, often shortened to just CCM.
We are pleased to see that Gartner now recognises Continuous Controls Monitoring (CCM) as an emerging governance, risk and compliance technology with its own product category. We believe this is particularly relevant because Gartner rates the benefits of CCM technology as ‘high’ and reaching its peak in the next 5-10 years.
Gartner also sees Continuous Controls Monitoring as being essential tech for large, heavily regulated organisations in the next few years.
Too little, too late
To understand why Continuous Controls Monitoring, or CCM, is a better way of managing cyber security risk, consider how organisations typically monitor and audit these various controls.
Again, let’s use the 250 or so controls covered by the Payment Card Industry Data Security Standard as an example, although we could take almost any cyber security standard, and the same points would apply.
Essentially, organisations rank the various controls into a rough order of importance—perceived risk or likelihood, and perceived cost or consequence of any cyber security breach. Some controls might be checked only quarterly. Others monthly. Some weekly. In each case, the checking in question is mostly undertaken manually, and can be very labour intensive.
But while such an approach is sensible and pragmatic, it’s far from ideal. A lot depends on the accuracy of the judgements made about the perceived risk or likelihood, for example. Not auditing a given control for a year, or a quarter, might turn out well, but then again, it might not. As you can imagine, this approach leaves a lot to chance.
Likewise with assumptions made about the cost or consequence of any cyber security breach, of course. In some of the most notorious cyber security breaches, organisations actually turned out to be mistaken not in misjudging the risk of a breach, but misjudging the consequences of that breach. And of course, the consequences these days are made even more severe in this era of GDPR and related penalties.
A better mousetrap
But suppose it was possible to monitor these controls automatically and remotely, via telemetry? That could be transformational: assurance could be continuous and it could be highly visible in real time.
And that, in essence, is what Continuous Controls Monitoring does which is why some say it is transformational and is therefore a cyber security game changer. Granted, acquiring and building that telemetry can require investment, although experience highlights that doing so is easier than many organisations suspect and ROI can come very quickly.
But the prize is worth the effort: for every control brought into a Continuous Controls Monitoring regime, the result is real-time continuous assurance rather than monitoring weekly, monthly, or to some other timetable.
Better still as is the case with Quod Orbis, Continuous Controls Monitoring can be put in place within your organisation as a bought in managed service from a provider of Continuous Controls Monitoring. In this way, real-time continuous monitoring is undertaken by experts using a market leading Continuous Controls Monitoring platform.
And once again, the experience of real-life cyber security breaches underscores the importance of this enhanced approach to protecting against cyber security risk: when left to hard-pressed and busy IT employees, it’s far from unknown for alarms to be ignored, mistakenly perceived as ‘false positives’.
The ROI of Continuous Controls Monitoring
So the benefits of Continuous Controls Monitoring are readily understood.
Better security, to be sure. Genuine real-time security, for another. A lower cost, with telemetry and remote automated monitoring replacing expensive and scarce cyber security expertise, as well as a lower burden on the business and IT teams. A greater assurance of business continuity. And in most cases, a ready ability to demonstrate superior cyber security practices to interested parties such as customers.
In short, it’s a simply superior approach.