×
Blogs

Empower Your Board with Cyber Risk Metrics That Matter

blog-homepage-1844044177-desktop
7 min read

Introduction

The roles and responsibilities of the board of directors (boards) in ensuring the security of their organizations is expanding – both due to the increasing perilousness of the cyber risk and threat landscape and as the result of new regulatory requirements. 

Boards today are interested not only in the business side of it, for example, knowing the return on investment in cyber risk management activities, but also in the technology side of it – the IT infrastructure comprising of on-premises and cloud-based assets, networks, applications, and resources, the third-party ecosystem, the cyber defense and resilience mechanism including the control environment and security measures in place, and more. 

The onus to effectively communicate the security and risk-related information to the board and the C-suite in a timely and lucid manner primarily falls on the CISO. Although there is a blossoming trend of appointing Business Information Security Officers (BISOs), the key responsibilities still lie firmly with the CISO. Since boards majorly consist of non-technical executives, it is essential that this risk information is conveyed in easy-to-understand, business-oriented language, which may enable them to first, understand the true potential of risks and their impact, and second, to be able to make strategic decisions that can keep the organization protected while managing budget and resource constraints. 

Lack of effective communication not only leads to insufficient or inappropriate action, but may also lead to conflicts and reputational issues and exposes the organization to higher risks. It is imperative for CISOs to choose the relevant and essential metrics to report on, which can aid in fulfilling the above requirements.

What Cyber Risk and Compliance Metrics Should be Reported to the Board?

Cyber risk and IT compliance metrics are essential not only to gauge the effectiveness of an organization’s cyber governance, risk, and compliance (Cyber GRC) strategy and program, but also to manage and effectively communicate risks to the board. They are also critical indicators of overall status, unresolved issues, and potential risk events that can adversely impact organizations. 

The CISO and security team measure and track a plethora of such metrics – risk appetite and tolerance, security incidents, configurations, mean time to detect, control maturity, business continuity planning and impact analysis, employee awareness, frequency of training programs, and many more. When reporting these to the board, the CISO should be clear about the objectives behind the reporting. Since the board is responsible for implementing strategies that drive business value, they must receive and review the cyber metrics in a manner that helps them in this process. 

Which brings us to the question – what information should the board be made aware of? 

The most common and obvious answer is, of course, understanding the security and compliance posture. However, there are several other aspects too. 

First, there is no one-size-fits-all metrics reporting template. Understanding the information sensitivity, domain, sector, size, culture, and resources of the organization should be the foundation of all such metrics reporting. As an example, the nature of data being handled, the regions being operated in, the regulations in those regions, and so on will affect the kind of metrics being reported to the board. 

Further, the metrics will depend on the ecosystem of the organization. For example, if a company were to scale its operations by engaging a network of third parties, then metrics concerning such third-party activity and their SLAs must also find prominence in any reports to the board. 

In another scenario, say, if a company were downsizing and facing budget cuts, the decision-makers would want to know the best way to do so without impacting the overall security posture. This would require looking at metrics such as IT team headcount, productivity, use of AI technology, IT vendors, spending on cyber projects, etc. 

Another aspect to consider is the purpose of the report. There are regular review processes that help to determine the cybersecurity strategy, budget, and program. This involves metrics such as the number of security incidents in a year, the total number of critical assets, top risks, threats, and vulnerabilities, the number of access control violations, control maturity practice score, the number of critical and non-critical third parties, mean time to respond to security incidents, total third-party spend, compliance status, number of open issues, and many more. Then there are particular use-case reports such as detailing an incident or planning for a corporate acquisition/merger or entering a new line of business. In these cases, different types of reports with specific metrics need to be reported on and this should be in addition to (and not instead of) the regular reports.

How to Report – Too Many Metrics Are Not Good!

Keeping it simple always works best. Not all board members will have the technical expertise to understand the relevance or criticality of every metric that is being reported. It is therefore crucial to report the metrics in terms that anyone can interpret and understand. For example, in addition to presenting them with the risk assessment matrix, color-coded for depicting high, medium, and low risk, communicate the risk exposure in monetary or dollar terms using risk quantification. 

Another best practice is to segregate the metrics into different categories, such as 

  • Security – detected intrusion attempts, number and severity of security incidents, time to resolve, vulnerabilities assessment results, control effectiveness, etc. 
  • Financial – risk appetite and tolerance, risk exposure, cost of security incidents, cybersecurity insurance, cost vs budget, etc. 
  • Compliance – relevant regulations, frameworks, and standards, compliance status, control effectiveness (control testing results), new regulatory requirements and obligations, volume and type of data in possession, 
  • Third Parties – critical and non-critical third parties, third-party scoring/rating, third-party cyber risks, compliance with SLAs, third-party incident response, etc. 
  • Cyber Resilience – business continuity planning, tabletop exercises, impact analysis, response and recovery, etc. 
  • Employee Awareness – policy adherence, training, workshops, etc.

One of the best ways to communicate technical information to non-technical people is to use analogies. As an extremely simplified example, instead of trying to highlight the benefits of ECC encryption over RSA, one can simply portray it as ECC having a 12-lever lock versus RSA, which has a 6-lever lock. The use of real-world examples can go a long way in ensuring board understanding and makes the most fact-based decisions.

Regulatory Mandates on the Board’s Role

Regulations around cybersecurity and cyber risk management are increasing quickly. In recent months, we saw the adoption of the SEC’s cybersecurity rules in the US, following the introduction of the Digital Operational Resilience Act (DORA) in the EU, to be fully adopted by 2025. 

The SEC’s rules require annual reporting on the board’s oversight of cybersecurity risks, the management’s role and expertise in assessing and managing material cybersecurity risks, as well as how the board/subcommittee is informed about cyber risks. The rules, set to come into force in December 2023, are applicable to publicly-listed organizations. 

For a deeper dive, read our recent blog, Achieve Compliance with SEC’s New Cybersecurity Rules

EU’s DORA was enforced on January 16, 2023 and financial sector organizations will be required to be compliant by January 17, 2025. The act mandates the “management body” of financial entities to define, approve, oversee, and be responsible for the implementation of all arrangements related to the information and communication technology (ICT) risk management framework. 

To learn more about this new regulation, download our eBook, Demystifying DORA - Understanding and Preparing for the EU’s Digital Operational Resilience Act.

The Way Forward

Given the fast pace at which the cyber risk landscape is evolving, the board’s role and interest in cyber risk management will only grow. For CISOs and security teams, this will require presenting a clear, simple, and accurate picture of the Cyber GRC program. Additionally, it requires effective collaboration and regular communication between the board and the CISO to make the reporting process meaningful, streamlined, and aligned with business goals and objectives. This requires time and effort from both sides, and the best time to start is now. 

To learn how MetricStream can help with cyber metrics reporting to the board, contact us today!

Agnishwar Banerjee

Agnishwar Banerjee Product Marketing, MetricStream

People call me AB and I am part of the CyberGRC Product Marketing team at MetricStream, where I handle the messaging, product go-to-market plans, and analyse market trends. Having witnessed the transition from offline to online firsthand (80’s child), for most of my life, I have been an avid enthusiast in the domain of technology and cyber security including personal cybersecurity. Over the last 10 years, I have been involved in developing and marketing risk-focused, SaaS products. I have a good mix of right brain and left brain and love reading, learning new things and am generally a big believer in the power of looking inward, effective processes and people.

 
Blogs

Navigating 2024: Top Cyber Risk Trends That Must Be on Your Radar

blog-banner-2
5 min read

Introduction

It has become trite to say that cyber risks are evolving at a fast pace or that it has become a top area of concern for organizations. Businesses today are required to navigate not just the digital era but the era of cognitive intelligence and generative AI (GenAI). While these technological advancements are helping organizations significantly improve their cyber risk management and gain process efficiencies, the easy access to these tools has made them a favorite among bad actors and cyber adversaries who can use them as easily to plan and launch sophisticated attacks with far-reaching consequences. 

The best cyber risk management strategy is to ensure that innovation and security measures go hand in hand. But in practice, it is not so. In an IBM survey, while 94% of CEOs said that it is important to secure AI solutions before their implementation, 69% said that innovation takes precedence over cybersecurity for GenAI. 

While AI is on everyone’s mind as we step into 2024, what are the other cyber risks that organizations need to prepare for? Before we get to that, here’s a quick recap of the major happenings from 2023 for all things cyber. 

The Cyber Governance, Risk, and Compliance (Cyber GRC) Whirlwind in 2023

One of the most important cyber developments in 2023 was undoubtedly the adoption of the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rules for public companies by the U.S. Securities and Exchange Commission (SEC). Though there are a lot of unanswered questions and “grey” areas regarding determining the “materiality” of a cyber incident or terms like “without unreasonable delay”, it is a landmark regulation nevertheless and a step in the right direction. 

For deeper insights into the new rules, you can read my previous blog “Achieve Compliance with SEC’s New Cybersecurity Rules” or leave a comment below to let us know your thoughts. 

With AI implementation gathering steam across sectors, the National Institute of Standards and Technology (NIST) released the AI Risk Management Framework in January 2023. The framework is intended to “improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.” 

We also saw the Digital Operational Resilience Act (DORA) being enacted in the European Union on 16 January 2023. EU-based financial sector organizations will be required to demonstrate DORA compliance from 17 January 2025. Aimed at enhancing the digital operational resilience of financial sector entities, DORA covers key areas including ICT risk management, ICT-related incident management and reporting, digital operational resilience testing, the management of ICT third-party risk, and cyber threat information sharing. 

Our eBook “Demystifying DORA: Understanding and Preparing for the EU’s Digital Operational Resilience Act” discusses various aspects and requirements of DORA in detail. 

Throughout the year organizations around the world also faced a growing number of cyber attacks and data breaches. Some of the major ones include the hack of MOVEit which affected over 1000 organizations and the personal data of at least 60 million individuals, the distributed denial of service (DDoS) attacks on a number of banks across Italy, ransomware attack on entertainment company MGM Resorts which led to operational disruptions, uncovering of a 38 terabyte data leak at Microsoft that happened in 2020, data breach at the Indian Council of Medical Research (ICMR) which exposed the personal data of 815 million Indian residents, and many more.

What to Expect in 2024?

It goes without saying that the cyber risks will increase in number, sophistication, and severity. Here are some of the top Cyber GRC trends for 2024: 

  • Heightened Business and Regulatory Focus on AI 
    The overall trend of AI and GenAI innovation is expected to continue and gain more momentum in 2024 with competition becoming fiercer and regulators worldwide rolling out AI-focused regulations and frameworks in an attempt to ensure that innovation is supported by effective security and governance measures. 
  • Automated and Continuous Approach to Cyber GRC 
    Specifically in the field of Cyber GRC, more and more organizations are expected to embrace automation for risk and compliance management processes and AI-powered predictive analytics to navigate the rapidly intensifying cyber risk and regulatory landscape. This includes capabilities to perform autonomous risk assessments and value-based quantification, continuous control testing with immediate remediations, automated compliance, and more. 
  • Continued Focus on Third-Party Cyber Risks 
    Third-party cyber risk management will also be a core focus area of CISOs and security teams with growing digital dependencies of organizations on SaaS solution providers, cloud service providers, and technology providers, among other third parties in the ecosystem. 2023 saw continued trend of exploiting third parties to gain access to target organizations. Proactively identifying the potentially vulnerable areas, points of failure, and blind spots throughout the third-party risk management life cycle has become more important than ever as can also be evidenced by the introduction of strict regulations to govern their activities.
  • Increased Cybersecurity Investments 
    Given the growing frequency, scale, and sophistication of cyber attacks, organizations will be significantly ramping up their cybersecurity and risk management investments. Gartner estimates global spending on security and risk management to reach $215 billion in 2024, making it a 14.3% increase from 2023.
     
    With this background and while the future can be uncertain, we’ve compiled our thoughts on the top 7 cyber risk trends that organizations need to be aware of and prepare for in 2024. Check out our infographic on the top 7 cyber risk trends, which discusses these trends, what to expect, and how to prepare in more detail.

cyber-risk-trends-2024

Download now: Top Cyber Risk Trends in 2024 and Beyond 

Getting the Cyber Defenses Up

We at MetricStream are hard at work to help organizations stay one step ahead of cyber risks. 2023, in particular, has been a milestone year as we rolled out a number of solutions and capabilities to help organizations drive an effective Cyber GRC strategy. These include: 

  • AiSPIRE, the industry’s first AI-powered, knowledge-centric GRC, which continuously senses and identifies risk, audit, and control deficiencies, duplicate risks and controls, patterns of over and under-testing of controls, and enables proactive planning and prioritization of risk assessments, control testing, issue, and action planning.
  • Autonomous Control Testing which automates control testing across IT compliance controls and reduces risk by assessing controls across the entire population.
  • Integration with AWS Audit Manager which simplifies and consolidates IT compliance management through automated control testing and evidence collection of all firm-wide controls, including on-premises and multi-cloud environments.

To explore MetricStream’s cyber risk and IT compliance management capabilities and to prepare for the trends of 2024, request a personalized CyberGRC demo today!

Agnishwar Banerjee

Agnishwar Banerjee Product Marketing, MetricStream

People call me AB and I am part of the CyberGRC Product Marketing team at MetricStream, where I handle the messaging, product go-to-market plans, and analyse market trends. Having witnessed the transition from offline to online firsthand (80’s child), for most of my life, I have been an avid enthusiast in the domain of technology and cyber security including personal cybersecurity. Over the last 10 years, I have been involved in developing and marketing risk-focused, SaaS products. I have a good mix of right brain and left brain and love reading, learning new things and am generally a big believer in the power of looking inward, effective processes and people.

 
Blogs

CyberGRC Just Got More Powerful with AWS Audit Manager

how-the-AWS-Audit-Manager
3 min read

Introduction

As businesses migrate to the cloud or expand their cloud adoption, security risks and compliance are always among the chief concerns, and critical challenges that must be addressed, especially in today’s volatile risk climate. 

AWS Cloud users have access to AWS Audit Manager, which continuously audits AWS Cloud service usage, and streamlines the assessment of risk and compliance with regulations and industry standards. Audit Manager automates evidence collection to assess operational effectiveness of internal controls frameworks and provides audit-ready reports. It’s a powerful tool. And it just got more powerful, by integrating MetricStream’s CyberGRC solution

In addition to cloud infrastructure controls, almost every organization has application-specific controls and organization-specific policy and procedure controls with which they also need to demonstrate compliance. Even AWS Cloud customers often have requirements for infrastructure controls for other cloud providers and on-prem solutions. Often these controls are maintained and assessed manually, in Excel sheets, with point solutions, or using GRC tools that are not integrated with AWS Audit Manager. These manual processes are resource-intensive and themselves fraught with risk. 

Now, with the integration of CyberGRC, AWS Audit Manager customers can automatically solve their IT and compliance challenges and lower their cyber risk exposure. And for existing CyberGRC users already on AWS, the integration with Audit Manager brings automated evidence collection, to afford a complete view.

Finally, a Centralized View

AWS Audit Manager users will now be able to demonstrate compliance not just with AWS Cloud infrastructure controls, but also with custom controls, application-specific controls, and controls for multiple cloud providers, as well as benefit from MetricStream’s complete suite of cyber risk, policy, and compliance and functions. 

So, instead of trying to manage reporting from multiple systems, users will finally have a centralized repository and view of control results – from AWS Audit Manager and across other controls – in one place, including automated evidence gathered from AWS, as well as control data and evidence stored in CyberGRC.

The benefits of this integration are clear: 

  • The ability, finally, to access and maintain all required controls, test results, evidence for all cloud environments and on-prem in one place, breaking down silos to accelerate decision-making; 
  • The ability to automate testing and evidence gathering of AWS infrastructure controls, reducing the manual effort required in testing and gathering evidence; 
  • The reassurance that all control test results and evidence from AWS Audit Manager will get automatically updated in MetricStream; 
  • Easily demonstrable compliance across AWS, on-prem and other cloud environments.

In short, the co-innovation between MetricStream’s CyberGRC solution and AWS Audit Manager will not only reduce risk and maintain compliance across all systems in real time, it will also create organizational efficiencies by reducing manual processes and breaking down internal silos. It is a major step forward in IT Risk and Compliance for cloud-based businesses. 

The above blog was originally published as an article by the author on LinkedIn. Read the original version here. 

Learn more about the MetricStream CyberGRC and AWS Audit Manager Integration. 

Download the Tech Brief: Automate Control Testing and Evidence Collection with AWS Audit Manager and MetricStream CyberGRC

Prasad MetricStream

Prasad Sabbineni Co-Chief Executive Officer

Prasad Sabbineni serves as the Co-Chief Executive Officer at MetricStream. As the head of products and engineering, Prasad leads our product vision and execution of our market leading GRC products.

Prior to joining MetricStream, Prasad was a Managing Director at Citigroup. He oversaw technology for enterprise functions of Risk Management, Finance, HR, Data, Information Security, Compliance Risk, Internal Audit, Enterprise Supply Chain and Third-Party Management. He was the senior technology executive responsible for implementing regulatory initiatives, such as Basel, CCAR, CLAR, BCBS 239, Volcker, Recovery and Resolution Planning at Citigroup. Prior, Prasad led technology for Market Risk, Credit Risk, Prime Services Risk, Portfolio Risk Margin, and Operational Risk functions at Lehman Brothers. Preceding Lehman, Prasad rolled out derivative trading systems globally and as a Risk Manager, he was also responsible for managing market risk of fixed income and equity derivatives at Bear Stearns.

 
Blogs

Cyber Attack Alert: The Invisible Enemy Could be Sitting Next to You

Cyber Attack Blog
3 min read

Introduction

While cyber attacks remain the plague of the modern corporate world, there are historical similarities that date back to a pre-computer era.

In 1988, Cornell University graduate Robert Morris was the first person to be successfully charged under the Computer Fraud and Abuse Act. It could however be argued that the first actual cyber-attack was launched over 150 years earlier by French brothers François and Joseph Blanc.

In the 1830’s the equivalent of the internet was the telegraph. This used semaphore to deliver vital government communications as well as share prices from the Paris Stock Exchange.

The brothers hatched a plan to ‘front run’ the markets by hiring an agent in Paris to deliver coded messages disguised as packages to the telegraph operators. If the paper wrapping was white, the market had gone up, if the wrapping was grey then the market had moved down. They bribed telegraph operators to send messages based on the colour of the wrapping. The messages were disguised as deliberate errors that would be disregarded by operators. The brothers hired an agent who understood what an ‘error’ signal looked like. He sat on an adjacent hill and read the signals as they came in revealing the market news.

The brothers exploited the markets for 2 years and made a significant sum of money. When the scam was exposed, they were arrested for bribery. Back then, France had no laws against the misuse of a telegraph system, and they were only forced to pay court costs. This meant they got to keep their ill-gotten gains.

I know what you’re thinking…but, I can confirm that this loophole was rapidly closed!

We are still faced with the same issue even with modern advances in technology. There are still those who are willing to exploit others for their own gain. Organizations and legislature are lagging the curve and stuck in a constant battle of catch-up.

In 2021, Gartner forecasted that spending on Security and Risk Management would exceed US$150 billion. This is a drop in the ocean considering the cost of cyber-crime is estimated to have breached the US$1 trillion mark. Yet despite this, technology phishing attacks remain the most common hacking technique.

Building Cyber Resilience with CyberGRC

Ensuring organizations stay ahead requires proactive risk assessment, mitigation, and monitoring of IT and cyber risks, threats, and vulnerabilities, across various IT compliance requirements. MetricStream’s CyberGRC solution can streamline cybersecurity efforts to actively manage cyber risk and support cyber resilience.

Built as an intelligent, intuitive, and interconnected program, CyberGRC enables your organization to:

  • Harmonise controls across multiple IT regulations and frameworks, improving compliance and saving effort and costs
  • Quantify your cyber risk in monetary terms to analyse and communicate risk and better prioritise cyber investments
  • Automate continuous control monitoring, enabling you to collect evidence of security control effectiveness
  • Collate data from across the enterprise, including third and fourth-party vendors, which can then be transformed into actionable business intelligence to support data-driven decision-making
  • Correlate vulnerabilities with IT assets, and prioritize remediation efforts based on the highest levels of threats leading to improved efficiency and increased assurance from your tech partners

Although your cyber risk and security tools may be sophisticated, phishing requires one simple lever - the ignorance of human beings. There are many different risk factors to manage, minimize, and protect against. It does make you think - could the invisible enemy be sitting next to you?

Want to learn more on how you can build your organization’s cyber resilience? Request a demo now.

Check out more resources related to cybersecurity:

The Ultimate Guide to Cyber Security and IT & Cyber Risk

Third-Party Risk: A Turbulent Outlook Survey Report 2022

Cyber Risk Quantification: Core Metrics for Success

Richard Rivett

Richard Rivett Market Development, MetricStream

Richard Rivett is a software and technology professional with over 24 years of experience in the technology space spanning vendors, client-side, and consultancy. For the past decade, Richard has focused on the GRC sector in a variety of customer facing roles including managing the relationships of 35 pan-European clients as well as leading a Services Team in EMEA.

Richard joined MetricStream in August 2021 in a Market Development role that sees him apply his experience and expertise in the initial stages of the customer engagements, focusing on successful client outcomes.

 
Blogs

Simplified and Integrated IT Compliance with MetricStream and AWS

AWS-Audit-Manager
4 min read

Introduction

How can I automate IT compliance management when I have a mix of manual, custom, on-premises, and cloud controls? How can I get a single view of my IT compliance status and risks? Can I create a single repository of my compliance evidence across my multiple IT infrastructures and environments? 

These questions often come up in our conversations with CISOs, IT Risk/Compliance Directors, IT auditors, and compliance officers from across industries. 

Organizations today use resources, services, and applications across on-premises and multi-cloud environments, which necessitate efficient assessment, monitoring, and reporting of controls across these domains to mitigate risk and ensure compliance. That, however, is easier said than done, for many reasons. 

With varied controls across different environments, tracking and reporting on the status and risks arising from each are bucketed into their own respective methods/processes. As an example, cloud controls are viewed only in the cloud account dashboard, network/application controls in the respective software solution, and custom controls may be viewed in excel sheets. 

As a result, control testing and assessment are often a manual exercise as many organizations rely on offline, fragmented systems and processes. More often than not, companies customize some controls to better align them to their unique requirements, which further impedes automated testing and evidence collection. The result is an inconsistent, siloed control testing and assessment process – wherein an organization has different workflows and systems for manual, automated, custom, on-premises, and cloud controls – and no single source of truth. 

Collating data from all these disjointed systems and mapping them against industry standards and frameworks, such as PCI DSS, HIPAA, NIST CSF, ISO 27001, SOC2, and others, can be exceptionally challenging. Resource and budget crunch adds to the challenges of the IT risk and compliance managers. 

What organizations need is a one-stop solution that automates control testing and evidence collection against compliance requirements for all enterprise-wide controls and provides consolidated reports. 

With CyberGRC’s integration with Amazon Web Services (AWS) Audit Manager, we, at MetricStream, are taking a step in that direction. 

The MetricStream CyberGRC and AWS Audit Manager Integration

Through MetricStream’s partnership with AWS, we now offer our customers a complete and integrated solution for managing and testing organization-wide controls through the integration of MetricStream CyberGRC and AWS Audit Manager

AWS Audit Manager continuously audits AWS Cloud product/service usage and streamlines the assessment of risk and compliance with regulations and industry standards. It automates evidence collection to assess the operational effectiveness of an organization’s internal controls framework (policies, procedures, and controls).

Read more about how the solution works: AWS Audit Manager now supports first third-party GRC integration

One of the key benefits lies in the single source of truth the integration provides for all org-wide controls. The solution’s single repository provides comprehensive visibility into controls, test results, and evidence for all controls – custom, application-specific, and multiple infrastructure controls (multi-cloud and on-premises) – all in one place. No more switching between multiple dashboards and spending time consolidating reports.Simplifying-Complexity-to-Bring-You_-a-Single-View-of-IT-Risk-and-Compliance_

Most important, the control testing results and evidence on pass/fail are tied to relevant standards and frameworks. At one quick glance, the solution provides insights into the number of active assessments created and executed, control testing results by area of compliance – which controls are compliant and which are non-compliant along with JSON evidence for each, the number of controls and accounts in scope for each of the assessments, the specific resources on which the controls were executed, and much more.

Prasad Sabbineni, co-CEO, MetricStream, discusses the benefits in detail in the article: CyberGRC Just Got More Powerful with AWS Audit Manager

This integration is live now and can be accessed directly by customers using CyberGRC and AWS Audit Manager. We have also worked closely with AWS to ensure the integration process is quick and simple. 

The MetricStream CyberGRC and AWS Audit Manager integration enables you to: 

  • Accelerate decision-making by consolidating access to org-wide controls, test results, and evidence 
  • Save time and costs with automated control testing, evidence gathering, and reports 
  • Obtain a consolidated view of the entire Cyber GRC program with accurate and insightful reports 
  • Improve IT and cyber risk and compliance posture with timely and comprehensive insights 

To learn more about the MetricStream CyberGRC and AWS Audit Manager integration, request a personalized demo today!

Anil Kumar MetricStream

Anilkumar GK Senior Director & Head of CyberGRC Product Management, MetricStream

Anilkumar GK leads cyber risk product management for MetricStream, the leader in Governance, Risk and Compliance (GRC) software. As Senior Director, Anil is responsible for product strategy, requirements, product planning and delivery to meet the needs of clients. Anilkumar has been at MetricStream for more than a decade and has nearly 20 years of experience in GRC implementation, product management, supply chain and business consulting, spanning product development, planning, design, delivery and quality assurance. His areas of expertise include Internal Audit, Risk Management, Compliance (including SOX and IT Compliance) Issue Management and Cyber/IT Risk.

Anilkumar is currently leading MetricStream’s cyber risk and compliance product efforts, including user experience optimization, quantification, use of security frameworks and more. He lives in Plano, TX and holds a Bachelors of Engineering in Mechanical Engineering.

 
Agnishwar Banerjee

Agnishwar Banerjee Product Marketing, MetricStream

People call me AB and I am part of the CyberGRC Product Marketing team at MetricStream, where I handle the messaging, product go-to-market plans, and analyse market trends. Having witnessed the transition from offline to online firsthand (80’s child), for most of my life, I have been an avid enthusiast in the domain of technology and cyber security including personal cybersecurity. Over the last 10 years, I have been involved in developing and marketing risk-focused, SaaS products. I have a good mix of right brain and left brain and love reading, learning new things and am generally a big believer in the power of looking inward, effective processes and people.

 
Blogs

The Expanding Role of Cyber Risk Leaders: Preparing for What’s Next

blog-banner-1907064520
3 min read

What are the roles and responsibilities of cyber risk leaders today?

Before I jump into that, let’s look at the various c-suite titles that currently fall under the umbrella of a cyber risk leader – chief security officer, chief information officer (CIO), information security officer (ISO), and chief information security officer (CISO). In some organizations, managing cybersecurity risk and compliance processes rolls up to the chief risk officer (CRO). 

There are also relatively new roles that you might have heard of – business information security officer (BISO), business aligned security executive (BASE), and technical information security officer (TISO) – the list goes on. 

As the scope of responsibilities of a cyber risk leader is evolving and expanding, new monikers are emerging to truly represent what the role entails. Today, cyber risk leaders are not just tasked with protecting the IT and cyber infrastructure of organizations – the role has become one of a business enabler. 

In a previous blog on building cyber resilience, I discussed some of the top roles played by CISOs today. A quick search on LinkedIn for CISO, CSO, and cyber-related job requirements yielded further insights into what companies are looking for today in these roles.

Here are some interesting ones that I came across:

  • To be a catalyst and an enabler to the global leadership for achieving the objectives aligned with the changing regulatory and operating landscape and reducing risk against the technology operations portfolio
  • Partner with enterprise-wide business stakeholders to elevate risk awareness and remediate security flaws in infrastructure, system design, and application security
  • Stay abreast of the latest risk trends, threats, and technologies in the field of information security, and recommend innovative solutions to address emerging risks

Which brings us to the question – how can cyber risk leaders prepare for the next level?

It’s All About Connections!

“Realize that everything connects to everything else.” 

Leonardo da Vinci said this in a different context, but it applies to today’s corporate world, too. The business environment is becoming increasingly convoluted with interconnected organizations, processes, functions, and even risks! 

The growing digital dependencies are exposing organizations to new, high-velocity cyber risks. In turn, businesses are expecting more and more from cyber risk leaders – the core objective still being protecting the enterprise from cyber adversaries. 

To better align to the evolving business expectations, CISOs, CSOs, and equivalent title holders need to undertake a connected approach – connecting not just internally within the enterprise with various stakeholders but also externally with the latest developments in technology, AI, and automation, trends in cybersecurity best practices, new and emerging cyber risks, and more. 

Connecting internally is essential to raise risk and security awareness across organizational hierarchies, keep the executive management informed about the overall cyber risk posture, and drive well-formed cybersecurity investment decisions. All of these elements are essential for ensuring a robust cyber risk strategy. 

At the same time, the next-gen cyber risk leader needs to connect externally to secure all the touchpoints of the organizations, including the extended enterprise comprised of third-party vendors, customers, partners, and other stakeholders. 

A well-rounded approach requires cyber risk leaders to not only understand the interconnectedness of risks and their cascading impacts but also keep up with the latest technological developments, such as APIs, automation, cloud, and artificial intelligence (AI), embracing industry best practices for IT and cyber risk management, and ensuring open and efficient communication across the organization and extended enterprise. 

For a deeper dive, read our eBook on “5 Connections Every Cyber Risk Leader Must Make for Driving Cyber Resilience”.

With AI ushering in a new paradigm for cyber risk management, the role of cyber risk leaders will continue to gain prominence in the corporate hierarchy and become increasingly aligned with the strategic leadership role. There is an urgent need to take on a continuous approach involving constant learning, improving, and adapting to meet evolving business expectations. 

If you’re in a cyber risk leader role, how are you preparing and staying current for what’s next? Drop us a line in the comments, and as always, let us know how we can help you anticipate and thrive on risk.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 
Blogs

Demystifying NIST CSF 2.0: What's New and Why it Matters

2252035181-blog-banner
5 min read

Introduction

In 2014, NIST released the Cybersecurity Framework (CSF) to set a standard for organizations to understand, manage, and reduce cybersecurity risk. Created through collaboration between the US government and private sector, the CSF provides a series of flexible cybersecurity guidelines that can be tailored to each organization’s unique needs. It has been downloaded more than two million times across 185+ countries, and translated into at least nine languages.

Since it was last updated in 2018, a lot has changed in the world. We’ve witnessed a pandemic-fueled surge in digital transformation, the coming of age of AI, the rise of the metaverse, and datafication – all of which have amplified cybersecurity risks. Last year, global cyber-attacks increased by 38%. Ransomware alone hit 66% of organizations, compared to 37% in 2021. 

In response, regulators have issued a slew of cybersecurity mandates – be it the SEC’s rules on cybersecurity risk management, or the EU’s proposed Cyber Resilience Act or the upcoming EU Digital Operational Resilience Act and not to mention the various cybersecurity related legislations in over 150 countries worldwide

All these events and changes perhaps nudged NIST to revisit, refresh and update the CSF. Which is exactly what NIST has done. In August 2023, the agency announced its biggest reforms yet to the CSF with the release of a draft of the CSF 2.0. The new framework is expected to address both current and future cybersecurity challenges, while also making it easier for organizations to put the CSF into practice.

What’s New in the CSF 2.0?

The NIST Cybersecurity Framework 2.0 provides guidance to industry, government agencies, and other organizations to reduce cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts. Over the past year, NIST has conducted workshops with thousands of stakeholders across countries to develop and refine the CSF 2.0. The final version is expected to be published in early 2024. 

Here’s what has changed in the framework:

  • Expanded scope: While the original CSF was intended for critical infrastructure industries in the US, the new draft is designed for organizations of all types and sizes – from schools and small businesses, to non-profits and governments – around the world.
  • A new function- ‘Govern’: The earlier CSF listed five cybersecurity Functions - Identify, Protect, Detect, Respond, and Recover. Now in version 2.0, a sixth one has been added – Govern. It recognizes that cyber risk isn’t just an IT issue, but a major enterprise risk that should be as important to the leadership team’s consideration as financial risks. ‘Govern’ is all about establishing and monitoring cybersecurity strategy and policy – setting up risk objectives, determining risk appetites and tolerances, identifying roles and responsibilities for risk management, and fostering a risk-aware culture.
  • Increased guidance: In response to stakeholders asking for more practical guidance on how to apply the CSF, NIST has introduced a new section called Implementation Examples. It provides concise, actionable steps that organizations can take to achieve the CSF’s cybersecurity outcomes. For instance, under the sub-category PR.AA-06, which talks about managing access to physical assets, the CSF suggests using security guards, security cameras, locked entrances, alarm systems, and other physical controls to monitor facilities and restrict access.
  • Templates for framework profiles: One of the main components of the CSF is the Framework Profile which helps organizations describe their current (existing) and target (desired) cybersecurity posture based on the CSF outcomes. Given the complexity of many organizations, they may choose to have multiple, purpose-specific profiles, aligned with particular components and recognizing their individual needs. To simplify the creation and use of these Profiles, the CSF 2.0 includes new guidelines and templates that can be customized to an organization’s specific needs. An organization can use Framework Profiles to delineate cybersecurity standards and practices to incorporate into contracts with suppliers and provide a common language to communicate those requirements to suppliers. Profiles can also be used by suppliers to express their cybersecurity posture and related standards and practices. 
  • Emphasis on supply chain risk management: In the wake of third-party cyberattacks like the SolarWinds hack, the NIST CSF 2.0 has expanded its focus on supply chain cybersecurity. The Govern Function has a separate Category on establishing, managing, and monitoring processes for supply chain cybersecurity risk management. Even the other five Functions contain cybersecurity requirements that can be incorporated into supplier contracts. Framework Profiles can also be used to evaluate and monitor a supplier’s cybersecurity state. 
  • Additional guidance on cybersecurity measurement: To help organizations measure how their cybersecurity posture has improved with the CSF, the new framework provides a range of updates on cybersecurity assessments. The Framework offers an opportunity to explore or adjust methodologies for measurement and assessment. It also links to SP 800-55, Performance Measurement Guide for Information Security.
  • Focus on continuous improvement: Across the CSF 2.0, NIST emphasizes the importance of continuously improving cybersecurity risk management. For example, the Identify Function has a new Category called ‘Improvement’ (ID.IM) which talks about using continuous evaluations, security tests, and exercises to determine areas for improvement.
  • Alignment with other frameworks: Along with CSF 2.0, NIST has launched a Reference Tool that will make it easier for users to explore the relationships between various framework components, including Functions, Categories, Subcategories, and Controls. Eventually, the tool will include Informative References that show how the CSF is connected to other cybersecurity frameworks, standards, guidelines, and resources.

Simplify NIST CSF 2.0 Compliance with MetricStream

For years, organizations across industries have been using MetricStream’s CyberGRC suite of solutions to simplify compliance with the NIST CSF, as well as multiple other cybersecurity standards and regulations. With MetricStream, you can proactively identify, assess, and mitigate cybersecurity risks to achieve the outcomes of NIST CSF.               
CyberGRC enables you to:

  • Streamline and automate IT risk identification, assessment, and monitoring 
  • Gain a real-time view of your organization’s biggest cyber risks 
  • Improve NIST CSF compliance by mapping the framework to your processes, risks, controls, policies, and other compliance requirements in a single source of truth 
  • Harmonize controls to enable a ‘test once, comply with many’ approach 
  • Use pre-defined templates and schedules to simplify IT compliance surveys, certifications, and control self-assessments 
  • Intelligently manage and resolve cybersecurity compliance and control issues using AI/ML

Want to know more about how MetricStream can help you strengthen NIST compliance? 

Request a demo.

Agnishwar Banerjee

Agnishwar Banerjee Product Marketing, MetricStream

People call me AB and I am part of the CyberGRC Product Marketing team at MetricStream, where I handle the messaging, product go-to-market plans, and analyse market trends. Having witnessed the transition from offline to online firsthand (80’s child), for most of my life, I have been an avid enthusiast in the domain of technology and cyber security including personal cybersecurity. Over the last 10 years, I have been involved in developing and marketing risk-focused, SaaS products. I have a good mix of right brain and left brain and love reading, learning new things and am generally a big believer in the power of looking inward, effective processes and people.

 

Related Resources

Blogs

Achieve Compliance with SEC’s New Cybersecurity Rules

blog-banner-2306826521
5 min read

Introduction

The clock is fast ticking for public-listed organizations to ensure compliance with Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Rules (rules) recently adopted by the U.S. Securities and Exchange Commission (SEC). The rules, set to come into force from December 2023, are expected to improve transparency for investors, customers, and other stakeholders in matters related to a company’s cybersecurity risk management and governance processes. 

One of the key requirements under the new rules is for public companies to report material cybersecurity incidents to the SEC within 4 days of determining the materiality of the incident. However, what constitutes “material” is somewhat of a gray area. 

Let’s take a closer look.

Incident Materiality and Reporting Timeline

As per the final rules:

  • A cybersecurity incident is described as “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” 
  • While “Materiality” has not been explicitly defined in the rules, it refers to the “nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”

In the press release, the SEC relied on the definition set by judicial precedent, “Information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the 'total mix' of information made available.” 

Further, the SEC explained that companies should consider both qualitative and quantitative factors to determine the material impact of an incident. It explained: 

“By way of illustration, incidents violating a company’s security policies or procedures, or affecting a company’s reputation, financial condition, operations or causing harm to a company’s customer or vendor relationships, or competitiveness may all be considered as examples of a material impact on the company. Similarly, the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and Federal Governmental authorities and non-U.S. authorities, may constitute a reasonably likely material impact on the registrant.” 

While these are good examples of cybersecurity incidents, it leaves ample scope for subjective judgment on the part of organizations as to what constitutes “materiality”. It will also vary from organization to organization depending on factors such as the scale of their operations, nature of business, type of products, and criticality of the information residing in their systems.

So, in the absence of a clear definition, it is advised that CISOs, IT risk professionals, and other executives in charge of compliance with the rules, display complete honesty and transparency, erring on the side of caution. 

The other aspect to consider is that the rules require organizations to make their materiality determinations “without unreasonable delay” – which, again, seems open to interpretation. The SEC explains: 

“A company being unable to determine the full extent of an incident because of the nature of the incident or the company’s systems, or otherwise the need for continued investigation regarding the incident, should not delay the company from determining materiality. Similarly, if the materiality determination is to be made by a board committee, intentionally deferring the committee’s meeting on the materiality determination past the normal time it takes to convene its members would constitute unreasonable delay.” 

To put things into perspective, the mean time to identify a breach in 2023 is 204 days, according to IBM’s Cost of a Data Breach Report 2023. So, the timelines for an organization to detect a breach, determine its materiality, and then report it to the SEC – could be ambiguous in practice. 

Nonetheless, the final rules are a great initiative in the right direction. Among other things, it will compel organizations to improve the maturity of their incident detection & response and overall cyber risk management and governance processes. We could see future revisions that offer more clarity and/or more requirements for companies to adhere to.

 

Join our upcoming webinar on September 13th, where we will analyze the SEC’s new cybersecurity rules and discuss key strategies and best practices to achieve compliance, along with domain experts: 

  • Alex Gacheche, Global Head of Information Security, Technology Infrastructure at Meta/Facebook 
  • Chris H, CISO & Co-Founder @ Aquia

Register now.

How MetricStream CyberGRC Can Help

In a previous blog, I delved into the key requirements that organizations need to meet and the strategies that can help them achieve this goal. Here’s a look at how MetricStream CyberGRC can help you achieve compliance:

Under the SEC Rules, You Need toWith MetricStream CyberGRC, You Can
Report material cybersecurity incidents to the SEC within 4 days of determining the materiality of the incident, subject to an additional extension of the timeline at the Attorney General’s discretion

- Establish consistent procedures for incident documenting, analyzing, and remediating all the way till closure 

- Maintain a single source of truth for incident lifecycle for quick and efficient reporting

Annual Reporting on the processes for assessing, identifying, and managing material cybersecurity risks, including third-party risks, and whether any cyber risks have had a material effect or are likely to do so

- Assess and manage IT and cyber risks in a standardized manner using industry frameworks, such as ISO 27001 and NIST

- Generate comprehensive reports providing in-depth visibility into the overall security posture

Annual Reporting on the board’s oversight of cybersecurity risks, the management’s role and expertise in assessing and managing material cybersecurity risks, and how the board/subcommittee is informed about cyber risks

- Leverage user-configurable reports with role-based views into relevant risk, threat, vulnerability, and control data in real-time – which can be presented to the board and top management 

- Record and maintain the expertise of the members of the management team or cyber risk committee/subcommittee members

Disclose whether they are engaging with third-party assessors, consultants, or auditors in connection with any cybersecurity processes

- Document and maintain information on third parties mapped to relevant details such as IT assets, business units, products or services, contracts, spend, certifications, ongoing assessments, country, risk or compliance issues, due diligence status, etc. 

- Generate reports that provide insights into risks, compliance, and performance of third-party vendors

Describe whether and how cybersecurity processes have been integrated into the overall risk management system or processes- Implement an integrated GRC solution to obtain real-time status monitoring and comprehensive reports, providing in-depth visibility into overall risk management systems and processes

Learn more about how MetricStream can help achieve compliance with the SEC’s cybersecurity rules: 

Download Overview of Cyber Disclosure Rules 2023

Agnishwar Banerjee

Agnishwar Banerjee Product Marketing, MetricStream

People call me AB and I am part of the CyberGRC Product Marketing team at MetricStream, where I handle the messaging, product go-to-market plans, and analyse market trends. Having witnessed the transition from offline to online firsthand (80’s child), for most of my life, I have been an avid enthusiast in the domain of technology and cyber security including personal cybersecurity. Over the last 10 years, I have been involved in developing and marketing risk-focused, SaaS products. I have a good mix of right brain and left brain and love reading, learning new things and am generally a big believer in the power of looking inward, effective processes and people.

 

Related Resources

lets-talk-img

Ready to get started?

Speak to our experts Let’s talk