<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Taming the Vast Sea of Data: Commentary on CISA's Strategy for 2021


Executives are very good at making decisions based upon risk, but cyber risk is still not clearly communicated in basic terms. This is a legacy issue in cyber, and much of what we build at CyberSaint seeks to address this problem. Evaluating outcomes is a complex, data-driven process, and we have been fortunate in that some of our larger customers have been helping us drive innovation on this score across very large use cases that require risk metrics across thousands of assets so that decision can be made around risk reduction at the top. 

I was heartened to see a recent post from Bob Kolasky, the CISA Assistant Director for the National Risk Management Center regarding priorities for 2021 at the Cybersecurity and Infrastructure Security Agency (CISA) and the prioritization of risk-based thinking in the United States’ national cybersecurity strategy. I agree with Assistant Director Kolasky on his framing of the problem. Understanding cyber risk necessitates an "evolved approach," as he says.

Historically, a big issue has been getting the surfeit or what he calls the vast sea of data tamed and into contexts that allow for quick risk-based decisions by individuals who look at risk in terms of dollars, national security, or repetitional issues. 

We have built NLP to help tame the firehose of vulnerability (and other device and application) data, which is a part of the bottom-up analysis, and we have linked that, using an RMF (risk management framework) based approach at the top, by automating controls so that the emphasis can shift from a red team mentality into a more proactive, preventative stance. 

Really, it is about getting information out of a Babel-like state into a clear, risk-based regime that translates into risk and into dollars, a very actionable and traditional metric, to use the assistant director's apt phrasing. 

One cannot walk telemetry or vulnerability data into a Board meeting, really. That would be like letting the Matrix into the room; curtains of green numbers that do not add up to anything. The data must be tamed first with an intelligent use of AI and NLP. Then that data must be associated with established risk metrics. This alignment is what the director is getting at by saying that "currently there is currently no ‘engine’ to capture all these data layers in a dynamic analytic tool." That is the solution we at CyberSaint have been building, the engine that Asst. Director Kolasky is referring to, in cooperation with our partners in the Federal space and in private industry.

There is a proliferation of what one might call micro risk within applications. While tactical teams are sometimes able to effectively manage these micro risks, if it occurs it is on an ala carte basis with little insight or ability to report up and learn from these events. What needs to be understood is macro risk: strategic and business process risk or, as the director says, national risk. So risk must also be aggregated and standardized. It is a challenge, but our largest customers are currently helping us solve these fundamental issues.

The late Peter Drucker said, “what’s measured gets managed.” There are fewer unknowns than ever before, so even the hard-to-measure is coming into focus with automation. The trick is to get these insights translated across different linguistic regimes. 

To that end, we introduced solution cost modeling into our platform to allow organizations to game out tools, processes, labor decisions to mitigate risk based on current data, not stale data, and based on the right data. This more proactive approach, really hitting the first three functions of the Cybersecurity Framework, will radically improve cyber resiliency across the board in both private and public organizations.

You may also like

Compliance and Regulations for ...
on January 9, 2023

Compliance for many cybersecurity programs has been the cornerstone and the catalyst for why many programs exist in the first place. Since the rise of the information technology ...

Cyber Risk Quantification: Metrics ...
on January 6, 2023

Risk management is the new foundation for an information security program. Risk management, coupled with necessary compliance activities to support ongoing business operations, ...

Padraic O'Reilly
Cybersecurity Maturity Models You ...
on December 30, 2022

Cybercrime has forced businesses worldwide into paying billions of dollars yearly. As more of the population becomes dependent on technology, the fear of cyber attacks continues ...

Top 10 Risks in Cyber Security
on December 23, 2022

Increasing cyber security threats continue creating problems for companies and organizations, obliging them to defend their systems against cyber threats. According to research ...

Governance and Process Automation
on December 21, 2022

Any enterprise operating at scale understands the need for standardization and strong corporate governance. Having served Fortune 50 companies for decades, I have seen the ...

Jerry Layden
Introducing Crosswalking Templates
on December 19, 2022

Crosswalking can be a handy tool to view control performance for a single asset/system against multiple frameworks. One can complete an assessment using one framework by ...