We recently polled some of our top security experts and engineering leaders to find out what critical information is required to secure their businesses and manage their resources effectively. We specifically asked, “What are the top questions you need to answer about your business?” Part one of this two-part series will look at these top questions from the perspective of the Chief Information Security Officer (CISO/CSO) who in many organizations is responsible for everything related to security.
CISOs must answers a broad set of questions that span the security function
Since all of security bubbles up to the CISO, their areas of concern are fairly wide ranging. The CISOs we polled had a broad set of questions that included priorities, security controls, risk, critical assets, vulnerabilities, identity and access, and compliance.
We were left with eleven questions after compiling and deduplicating the responses, which we think every CISO should be able to answer. This is by no means an exhaustive list, but it can serve as a good indicator of what other security leaders are paying attention to. Let’s look at some specific areas of concern and related questions raised by the CISOs we interviewed.
Asset management includes knowing where all of your physical and software-defined assets exist, compiling a complete inventory, and being able to interrogate them. These asset management questions from the CISOs show the importance of being able to define criticality, prioritize assets and findings, and map ownership, access, and vulnerabilities.
The top questions related to assets include:
- Who owns (or is most likely to own) my critical assets and their associated findings?
- Who or what can access my critical data? How?
Monitoring and detection
Continuous monitoring is an important aspect of security. Ensuring that networks, devices, servers, etc. have the correct detection capabilities is critical. This can include everything from enabling logging to ensuring that your EDR tool is installed on all of your endpoints. This also applies to more than just physical assets and devices. Mature security teams must be able to identify and monitor every asset in their environment.
The top question related to monitoring was:
- Are my detection capabilities everywhere I expect them to be, fully capable, and up-to-date?
Vulnerability management is a key preventative measure for all security professionals. The theme of prioritization is evident in the questions below, which includes accounting for the type of resource, criticality, and the attack path or known exploit. Important metrics emerge as well. Vulnerability dwell time is the amount of time it takes to remediate a given vulnerability. Another key metric to track and report for customer support is the comparison of vulnerability dwell times to promised SLAs.
The top questions related to vulnerability management included:
- What are my vulnerabilities or configuration issues, after they’ve been deduplicated and prioritized?
- Who owns and has the ability to fix the assets and vulnerabilities?
- What is my vulnerability dwell time and SLA adherence?
Risk management is complex but is essential because it helps teams be better prepared to act. The risk-related questions proposed by our experts were a bit more open-ended. Knowing where the most important risks or attack paths are helps teams uncover the root of the risk to their organization.In addition, understanding how risk posture evolves over time is an important indicator for CISOs, and can reveal a lot about the efficacy of the security programs and efforts.
The top risk management questions included:
- What are my top risks?
- Are we improving our risk posture?
Identity and access management and compliance
Identity and access management (IAM) touches on all of the topics discussed above. CISOs are concerned with: who has access to what, who should or should not have access, and who can fix issues. Controlling identities and access, as well as mapping them to compliance frameworks and regulations, is a critical piece of the security puzzle.
The top IAM questions included:
- What tokens and roles are associated with which accounts?
- Do those comply with policies and security controls?
More questions than answers
How confident are you that you can answer questions like these accurately?
Many security organizations are riddled with more questions than answers. If you can’t answer complex questions about assets, vulnerabilities, risks, or access, you’re working in the dark without sufficient light. Asset visibility is essential to security. Having confidence in the process and systems that you have in place to understand your resources and environments is an important step toward security maturity. JupiterOne helps you answer these questions and more. Contact us today to find out how.
What are some of the critical questions and key metrics that your security organization is tracking? We’d love to hear how they compare to our experts.