Charlotte Jupp, Head of Security Performance Management, Panaseer
While the Microsoft Digital Defense Report found that cyber hygiene protects against 98% of attacks, it’s wrong to assume that it’s easy to get these cybersecurity foundations in place. Investing in tooling and technologies to protect digital infrastructure is one thing, but ensuring everything is working as it should be is a complex challenge. In fact, 79% of enterprises have experienced cyber incidents that should have been prevented with existing safeguards.
Financial services firms have traditionally had more mature cybersecurity practices than other industries due to the critical data they hold and must protect, and cyber regulations being instrumented earlier. Yet with regulations changing and demanding more evidence of effective security controls, it’s crucial that security teams understand what to measure to stay secure and better manage their security posture. The issue is many are simply not sure what good looks like. Discussions between organizations and industry professionals around security governance are far less commonplace than they should be.
However, there are benchmarks for cybersecurity controls that show what organizations should be aiming for. The right KPIs can give a deeper understanding of security governance maturity and enable enterprises to continue improving their security posture management. These benchmarks are invaluable for financial services across the EU who will be looking to meet the 2025 compliance deadline for DORA, the Digital Operational Resilience Act.
Evolving regulation
DORA is an EU regulation – affecting any organization based in or trading in the EU – that will ensure financial institutions follow strict rules around improving operational resilience and reducing ICT risk. The regulation incorporates five pillars which together mandate financial services must actively manage digital risk, continuously monitor the effectiveness of their tools, and ensure a high level of cybersecurity protection.
While many financial organizations may believe they are already complying, or at least monitoring and demonstrating their tool effectiveness on a semi-regular basis, the change needed for full compliance is significant. DORA requires organizations to set, evolve and evidence risk-based policies to prove their resilience. This means they must continuously measure and evidence KPIs and metrics across their security domains, which will be almost impossible without advanced automation.
What to measure first
For financial institutions unsure where to begin with DORA compliance, the best place to start is to set benchmarks around security controls coverage. You simply don’t know what you don’t know, and organizations in the financial industry need a complete view across all assets and a ‘single source of truth’ dataset that offers insight into the status of each control protecting each asset.
Measuring controls coverage essentially answers the question, ‘are our security controls where we expect them to be?’ For example, teams can set an objective around expected EDR (Endpoint Detection and Response) coverage to measure how many devices are covered by EDR. An initial standard would be to report every seven days on whether EDR is where it should be covering each device. A more mature measurement and desirable KPI for those enterprises – like many larger financial services institutions – that have significant investment and dedicated cyber resource would be to report if a device is seen each day in the EDR tool where it has been seen on the network by another tool on the same day.
The same concept exists for monitoring vulnerability scanner coverage and patching tool coverage. An initial standard for these controls could be to scan every 30 days, while a mature organization should scan at least once every seven.
An evolving landscape
Legislation is increasing and placing new demands on security leaders for continuous monitoring of tools and measurement of metrics. It’s understandable that security professionals are increasingly concerned as to how they better understand and measure security maturity against risk.
The first step has to be looking at whether what is in place is truly doing the job it has promised. Creating realistic benchmarks and KPIs on the effectiveness of security controls will be invaluable for the financial services industry not just for complying – and proving compliance – with DORA, but also for achieving the ‘basic’ cyber hygiene that is so critical to stopping preventable breaches through control failures.
