Using Data to Drive Security Decisions (and not the Reverse)

The textbook view of using business data to drive security management goes something like this: Data is fed from across the enterprise ecosystem into a large-scale database. The data is then subjected to advanced analytics that uncover subtle correlations. The resulting insights are then used to make scientific data-driven decisions. This is how it’s drawn up in Enterprise Security Management 101, and it all makes perfect sense.

Except that this is not how it’s typically done. In far too many cases, the process is reversed. For example, a brand new CISO might want to show that the last person in the job was a total loser. Correlations are then invented that will support this view. The business ecosystem is then scanned to find data that can justify this pre-ordained conclusion. The whole thing is done backwards.

Such observation on data-driven versus data-justified security management was a point of great discussion recently between myself and Jon Hawes of Panaseer. We had a stimulating conversation about how to help CISO teams use data to drive good decisions, rather than to justify bad ones. The Panaseer teams understands the difference, and I was keen to learn more.

From a platform perspective, Panaseer offers precisely what you would expect from a data-driven management support platform for enterprise security. It includes connectors for familiar cyber security tools such as Palo Alto Networks firewalls and Rapid7 scanners, as well as for enterprise IT components such as asset inventory management systems. Their website lists the full range of tools supported.

The Panaseer platform uses common data model on which collected data indicators can be mapped. For example, Tanium might refer to an entity one way, whereas Sophos and Qualys systems might use different designations. The platform makes sense of all this by baselining the data into a uniform framework. This is harder than it looks and the Panaseer approach looks sensible to me.

Jon explained to me that the starting point for many customers using the Panaseer platform often requires some enhancement. “Our customers make use of the platform to deal with the four primary modes of management – namely, periodic, planned, ad hoc, and crisis,” Jon explained to me. “But we have noticed that most CISOs operate mostly ad hoc.”

This point was easy to accept, as it’s been my experience that despite increased executive focus on security (which is good), amidst increasing cyber attacks that require management attention (which is bad), the vast majority of decision-making by enterprise security teams is made on a day-to-day basis using ad hoc justifications and instinctual guidance.

Jon and I agreed that security decisions rely far too often on subjective and personal motivations with data custom-fit to support pre-determined goals. Worried about the next tuition payment? Well, then toss up a chart at the next Board Meeting showing your obvious awesomeness. Need two more years until retirement? Well, then find some good news for the next senior management committee meeting. And so on.

Being a CISO, or just participating in the vocation of enterprise security requires a spirit and honesty that are easy to vocalize, but much harder to balance. For example, enterprise security managers are frequently asked to calm down senior leadership, while also providing an accurate depiction of risk. This produces a difficult tight rope on which to walk, and the temptation to cook the data is high.

This is why – and I am sure Jon and the Panaseer team would agree . . . this is why it is essential to adopt a data-driven management approach for enterprise security. Look, I would never argue for more passivity in any management concern. But perhaps we must be a tad less proactive making early judgments. We must be more scientific in decision-making, which requires standing behind our data, rather than next to it.

I know this approach can put security teams in awkward positions. Data might suggest that the expensive IAM deployment you funded last year is not working. Or data might suggest that your big patch management push is barely covering the inventory. I know these are uncomfortable situations, but unless we are honest in managing enterprise security, we will continue to trail the offense. I think you know this is true.

By the way, there is a silver lining here: When you adopt a data-driven approach, your credibility with boards and senior leaders will skyrocket. They will know that problems are never masked, but they will also come to accept that reported successes are never pre-engineered. You will be viewed as an honest broker, and this is not only good for you, but also good for our profession.

Let me know your thoughts.