Common Security Pain Points for IT Admins and How to Solve Them

The role of IT security administrators increasingly is changing as threats evolve. Here are some ways companies can help make their jobs a bit easier.

Security executives only know a part of what’s going on in their environment. Systems, data and business units are extremely siloed within large companies. Each group manages its own systems and applications. Picture an office building with security executives managing a team of security guards at the front desk. They make sure only those who should be accessing the building get access; however, once individuals are inside, the guards cannot see what all of them are doing. They cannot see if a visitor went into an office and opened a file cabinet that contained sensitive information.

In Bay Dynamics’ recent study, “Reporting to the Board: Where CISOs and the Board Are Missing the Mark,” 81 percent of IT and security executives admitted they employ manually compiled spreadsheets to report data to the board. The manual process creates a few pain points. Security teams spend hours collecting spreadsheets from the various business units and stitching them together into one coherent data document the CISO uses to report to the board. The data often is inaccurate because manual processes enable data massaging that inherently introduces bias into the data. Measuring cyber-risk becomes an almost impossible task if security executives, other C-levels and the board are not looking at accurate data.

Endless notifications coming from security controls that aren’t prioritized based on the value of the asset at risk and the impact of an event, coupled with limited resources, mean security executives struggle with cutting through the noise. They have invested in many security tools, yet have trouble making sense of the information coming from those tools. They view each piece of information as one pixel of a picture. Since they cannot see how all of the pixels fit together into one picture, they don’t know where to start. For example, they may focus their attention on a lower-priority vulnerability while a higher-risk vulnerability is overlooked.

Security executives struggle with communicating cyber-risk information to the board in a traceable, understandable, contextualized way. According to the recent study, “How Boards of Directors Really Feel about Cyber Security Reports,” more than half (54 percent) of board members agree or strongly agree that the data presented by security executives is too technical.

Security executives often have difficulties engaging line-of-business application owners, who govern the company’s most sensitive assets but are not on the security team. Line-of-business application owners have the best understanding of the assets they govern and therefore can add the required context when something unusual is detected. Security executives must get them involved in the cyber-risk management process so they can add contextual information to notifications and alerts.

To solve these pain points, security executives should do the following (see next four slides):

Before solving any of the previous pain points, security executives must identify their most-valued assets that, if compromised, could cause the most damage to the company. Once they figure out what those assets are, where they live and who governs them, security executives should devote the vast majority of their efforts to protecting them. That includes uncovering threats and associated vulnerabilities related to those assets and the probability of an attack. They should then apply security resources accordingly.

Line-of-business application owners should receive a prioritized view of the top threats and vulnerabilities to the valued assets under their governance. That way they know exactly what action must be taken to protect their assets. They also should receive automated alerts if security tools flag unusual access to assets under their control. They then can notify incident responders whether they authorized the access or it is suspicious and needs immediate investigation.

It’s time to get rid of the spreadsheets. Security executives should implement an automated process for collecting cyber-risk data so that all stakeholders—line-of-business application owners, IT leaders, boards of directors, executives and the security team—are looking at the same cyber-risk information generated automatically. That way security executives can efficiently produce cyber-risk reports that are unbiased, traceable and actionable so that the board of directors can make informed decisions.

Boards understand risk; security executives also must understand it. Security executives are no longer viewed as the “techies” who only manage cyber-security technology. They increasingly are viewed as risk professionals in the same light as other operational risk leaders (i.e., legal, financial, etc.). Due to this shift, security executives must change their approach. Instead of reporting about patches, misconfigurations and other technology-focused information, they should report about threats, associated vulnerabilities pertaining to their most-valued assets and the probability of those two meeting, then apply security resources accordingly. That’s the language the board understands.