Analytics to Empower Security Leadership

ENGAGEMENT

DayBlink Consulting developed a robust security analytics and metrics program for the CISO, Chief Legal Officer and CTO of a large national bank to better understand critical cybersecurity, asset management and spending information.  These analytics enabled more actionable insight into cybersecurity and technology risk factors.  Analytics require metrics which in turn require quality data.  To build such a program involves laying a foundation and then constructing the relevant processes and procedures to populate data storage mechanisms.  Then analytics can enable more actionable insight into cybersecurity and technology risk factors.

The bank had been executing an external digital-first strategy for years but had underinvested in cybersecurity.  Economic uncertainty coupled with a tremendous increase in cyberattack activity caused leadership to press the security team for analytical results, spending justification, quantitative risk measurement, etc.

The CISO understood the need to quantify risk where possible and analyze security data with a business lens (in addition to the technical/security lens).  The CLO sought to expand any analysis to include asset management and spend information, to support the CTO’s mission and strategy.

PROBLEM

The CTO requested current, actionable data from the CISO and Chief Legal Officer (CLO).   While the bank had numerous dashboards, they were mostly managed by individual contributors and small teams in Excel (stored locally and/or in a random assortment of locations) who were unable to produce useful/timely analytics and metrics.  These requests, which often required a flurry of activity to validate, clean, sanitize, were typically out of date, incomplete, and presented ineffectively.  Despite this,  money was still being invested in automation, analytics and a variety of tools and platforms.  The new CISO desired a far clearer understanding of cyber performance and technology risk.  The Chief Legal Officer sought more timely updates and relevant information to present to the Board of Directors. No one on her team could easily quantify the impact and results of decisions, which limited what could confidently be provided to the leadership.

While the bank had all of the relevant security systems, each were predominantly individually managed and reported on.  Data was not combined, correlated or otherwise linked between systems to offer deeper insights.  The system architecture was very standard, while the organization had a data lake and analytic teams, both were managed outside of security.  Thus there was little incentive for security team members to do extra work to send their data to a central repository, in fact, such action might create vastly more work for each of them, to protect and analyze that information.  Instead, team members crafted bespoke reports in response to specific requests for information.

SOLUTION

DayBlink Consulting reviewed the existing metrics and interviewed the team to identify existing pain points and their desired future analytical goals.  We executed every step, beginning with data identification and continuing to analytics design, data ingestion and visualization.   We worked to develop a solution architecture to feed PowerBI visualizations.   Leveraging PowerBI and ingest procedures, the initiative developed security analytics and constructed automated dashboards.  Simultaneously we designed wireframes to align on design and incorporate team feedback and enhancement requests.  We created views to blend datasets and pull in additional logic as needed.  Within two months we had developed more than 30 published metrics (each requiring some underlying analytics) across 10 dashboards for a wide variety of stakeholders to analyze performance and guide future decision-making.

We documented all processes, procedures and methodologies in the program to enable the client team to maintain this effort after we completed the engagement (including a robust backlog of 50+ additionally requested metrics slated for future development.)  Finally, we delivered analytic and dashboard demos for key stakeholders to train everyone on usage and ensure that the effort would continue. Metrics included overall cyber risk quantification, controls effectiveness, security tool adoption by team/organization, employees at risk for Phishing, crown jewels susceptibility.

RESULT

The CISO, CRO and CTO all developed a deeper understanding of their Cyber Risk posture, and used data from dashboards in weekly meetings to communicate it to their organizations.  The CISO confidently developed her strategic and financial plan grounded in historical data.  With quantified insight into actual team member performance, several team members received additional coaching and/or internal job realignment, resulting in greater confidence in the team and improved performance.

After the personnel moves, new confidence in the team and its performance enabled less administrative load by all of the leadership (the analytics provided far clearer insight than the previous 1:1 sessions).  To maintain the effort going forward, the Bank decided to task a full time cyber engineer with supporting and further expanding the program – a testament to the value recognized by the senior leadership team.