A security breach is a common risk that can have crippling effects on your organization. So, how do you respond to your leadership team when they ask how security is being addressed?
A security breach is making the news and your CIO, CTO, or even your CEO are all asking the same question: “Are we at risk too?” It’s that chilling moment when strategic risk meets daily reality, and leadership expects you to have the answer.
To really own that moment, you’ll want your response to include these four points:
- Yes, we are aware of this critical vulnerability.
- We know how many of our organization’s machines are vulnerable.
- The emergency patching has already started.
- Here is the progress so far.
So, how well can you address these and reduce your organization’s risk of a security breach?
“The HighBond platform has a long and growing list of data connectors for custom APIs like those from the United States Computer Readiness Team (US-CERT).”
1. Yes, we are aware of this critical vulnerability
Here’s a question: How are you staying on top of IT issues that might impact your business? Sure, you can rely on the news, but that doesn’t give you much more knowledge than your CEO.
Instead, you might get your info directly from sources like the United States Computer Readiness Team (US-CERT). You could sign up to get their weekly email summary of new vulnerabilities and security breaches, sorted by risk level. But are you really staying on top of these emails when you have so much else on your plate?
The solution is to automatically retrieve that data from the web. HighBond by Galvanize has a long and growing list of data connectors for custom APIs like those from US-CERT. By using this feature, you can have the work done for you and instantly receive a consolidated table listing all the vulnerabilities. And with ACL Robotics, you can schedule the import as often as you want: every week, every day, or every hour. Rather than having this information stored in your inbox, you can have it all in your risk management dashboard.
2. We know how many of our organization’s machines are vulnerable
An average of 38 new vulnerabilities are identified every day. There’s no way to know in advance how many of these potential security breaches are applicable to your organization’s systems.
To be sure you don’t miss any, you’d need to cross-reference the list of vulnerabilities with your list of assets. Meaning for each vulnerability you’d be checking the full list of software installed across your organization—that’s hundreds of millions of comparisons!
Luckily, IT GRC solutions can transform this daunting and seemingly impossible task into something that takes just minutes. You can then:
- Use powerful text analysis and fuzzy-matching functions to match disparate data
- Summarize the data to reduce the volume and accelerate treatment
- Leverage previous findings to focus on what’s new and avoid duplicating efforts.
This is all handled automatically by robotic process automation so that your team and your resources are freed to focus on value-add tasks.
3. The emergency patching has already started
Do you remember WannaCry? This ransomware exploited a security hole in Windows with devastating consequences. Depending on the size of your organization, thousands of machines may have needed updates from just this one vulnerability.
Often, the logistics of patching is reduced to a single individual grinding through a spreadsheet listing all the vulnerable systems, and possibly reaching out to employees via email or phone.
Obviously, this is a time-wasting nightmare. But reliable, consistent patching is just a few clicks away when you use robotic process automation. It lets you build your own customized workflow and make use of:
- Questionnaires sent automatically whenever an action needs to be taken
- Triggers to react to new data and notify the appropriate group(s)
- Metrics to receive alerts when certain thresholds are crossed.
4. Here is the progress so far
To build trust with your executive team, you’ll need to provide visibility into your process. Providing a progress update is a painful ad-hoc process—especially if you’re tracking everything in a spreadsheet.
Challenge 1: The data isn’t up to date
A spreadsheet is merely a tracking mechanism, disconnected from the actual work because:
- It doesn’t include everything that’s happening (e.g., email conversations)
- It’s not easy to collaborate with multiple people at the same time
- Someone needs to remember to look at it.
Consider the discrepancies in data and how much back and forth you might have to do if you’re working with spreadsheets.
Challenge 2: It’s time-consuming
It takes time to transform your data into meaningful insights. It may take even more time to make it presentable and visually engaging. And data stored in spreadsheets is disconnected from the ongoing strategic risk management, which means you’ll need to duplicate your work in separate systems.
Challenge 3: The report is out of date
By the time you obtain a snapshot of the situation and produce a report, it’s usually out of sync with reality. It won’t show ongoing progress, and you’ll need to repeatedly recreate it.
This is where the HighBond platform really shines. With all of your data in one place, HighBond’s storyboards let you:
- Visually represent data in real time, effortlessly
- Add context to help your audience get the message
- Share the story with anyone who has internet access.
While no organization plans on being unprepared for a security breach, unfortunately many are. With HighBond, you’ll have the tools you need to address the inevitable “Are we at risk?” question quickly and with confidence.
KRI Basics for IT Governance
- The different kinds of indicators, what they measure, their purpose, and audience
- How KRIs fit into a greater IT risk management program
- How to select your own KRIs, including a worksheet
- How to ensure your KRI program is scalable and sustainable.