From Burnout to Breakthrough: How CISOs Are Reclaiming Control with Continuous Controls Assurance
Free the CISO, a podcast series that attempts to free CISOs from their shackles so they can focus on securing their organization, is produced by CIO.com in partnership with DataBee®, from Comcast Technology Solutions.
In each episode, Robin Das, Executive Director at Comcast under the DataBee team, explores the CISO’s role through the position’s relationship with other security stakeholders, from regulators and the Board of Directors to internal personnel and outside vendors.
From Burnout to Breakthrough: How CISOs Are Reclaiming Control with Continuous Controls Assurance
Author: Nicole Bucala
Today's CISOs are juggling more than ever: threats, tools, compliance and burnout. As CEO of DataBee, I have the privilege of interacting with CISOs and hearing about their challenges firsthand. A recent podcast conversation with Dave Bittner of CyberWire inspired me to share some of what I’ve been hearing from security leaders in the trenches.
Adhering to your framework(s): Executive reporting of security metrics
I’ll dive right in: The number one thing I find CISOs to be grappling with is the increasing demand for reporting to show compliance with certain security frameworks. DataBee has customers that follow NIST CSF 2.0. We have customers that need to show compliance with the PCI DSS 4.0 regulations, and customers that have to show a set of dashboards that align to Gartner ODM (outcome-driven metrics). We also have customers that have a mandate to align to the CIS (Center of Internet Security) controls, all 18 of them. So, this need for reporting—against whatever set of frameworks the customer has adopted—has created a lot of pressure on security and risk teams. They're looking for ways to automate the reporting and to have higher fidelity in the data that underlies the reporting.
It's been interesting to see such a wide variety of frameworks in use, yet the underlying mission for the CISO is all the same, regardless of the framework he or she has standardized on:
- How can I have better faith in the security controls that my team uses?
- Where are the remaining gaps?
- What do I need to do to close those gaps?
Sometimes our customers need to prove, whether it's to regulators or to their board, that they have certain controls, that they know where the blind spots are and that they're taking action to eliminate those blind spots. How do they do this? With data. CISOs have to provide evidence, and evidence is just data. So, you want to make sure you have the right data to provide that good evidence (and to stay out of trouble!).
The age-old problem: Connecting the dots to demonstrate compliance
How to connect the data dots to demonstrate compliance? It’s the age-old problem that many CISOs are still working to solve.
The traditional approach that folks used to take (I’m sure some still do) was to output a static data file to something like a CSV spreadsheet. Then they found themselves working with data in different spreadsheets and trying to merge that data into some sort of dashboard with typical images, like pie charts and bar charts, attempting to tell a story. The problem with that traditional approach is that, as soon as you export data to a CSV, the data is now old. If you have a need to do reporting continuously or, if not continuously, then on some recurring basis—perhaps quarterly or yearly—the act of having to wrangle everything together in spreadsheets ends up creating an inaccurate submission at the end of the day.
DataBee: Evidence of continuous compliance for risk management
Comcast’s global CISO, Noopur Davis, knew the challenges of compliance reporting only too well, so she and her team in Comcast Cybersecurity set out to do something about it. Being a highly regulated critical infrastructure company, Comcast has to be accountable for adherence to many regulations and privacy guidelines. To break the laborious spreadsheet cycle, the Comcast team worked long and hard to create a security data fabric platform that could weave together disparate security and business data automatically, quickly, and on a continuous basis, revealing any compliance gaps to fix along the way.
DataBee is modeled on the Comcast security data fabric platform. We have a proprietary ingest/parsing/normalization and correlation technology that allows for any data to be continuously ingested, organized and then triangulated, producing a dataset that is always ready for analysis. On top of our platform, we’ve built role-based reports and dashboard templates, aligned with the frameworks that I mentioned earlier, that draw on that data and render the data into over 30 of the most common controls metrics that a leader of security and risk in a regulated company would want to see today.
The reports that DataBee can produce give customers the ability to toggle between different regulatory frameworks; one framework might require multi-factor authentication (MFA), others might insist on endpoint detection and response (EDR). The ability to toggle between frameworks further aids in the automation of compliance reporting and reduces the amount of manual work that any sort of data reporting team is going to have to do. It also gives the CISO an excellent tool for addressing the demands of so many different bosses! Need a report that “speaks” CEO and to the Board? No problem. Require evidence for regulators and auditors? Sure thing.
DataBee for Continuous Controls and Risk Management (CCRM) supports the most popular security frameworks; provides evidence-backed reporting on compliance and security gaps and how the organization is doing against remediating those gaps; and makes it easier for CISOs to communicate compliance and risk posture all the way up to the Board, using metrics that they value.
There’s no need for CISOs and their teams to spend countless hours and untold anxiety over creating reports that show evidence of compliance to their organization’s security frameworks. Give that burden to DataBee for CCRM, which connects all necessary controls data and automatically weaves it into actionable insights and metrics that matter.
From Burnout to Breakthrough: How CISOs Are Reclaiming Control with Continuous Controls Assurance
Author: Nicole Bucala
Today's CISOs are juggling more than ever: threats, tools, compliance and burnout. As CEO of DataBee, I have the privilege of interacting with CISOs and hearing about their challenges firsthand. A recent podcast conversation with Dave Bittner of CyberWire inspired me to share some of what I’ve been hearing from security leaders in the trenches.
Adhering to your framework(s): Executive reporting of security metrics
I’ll dive right in: The number one thing I find CISOs to be grappling with is the increasing demand for reporting to show compliance with certain security frameworks. DataBee has customers that follow NIST CSF 2.0. We have customers that need to show compliance with the PCI DSS 4.0 regulations, and customers that have to show a set of dashboards that align to Gartner ODM (outcome-driven metrics). We also have customers that have a mandate to align to the CIS (Center of Internet Security) controls, all 18 of them. So, this need for reporting—against whatever set of frameworks the customer has adopted—has created a lot of pressure on security and risk teams. They're looking for ways to automate the reporting and to have higher fidelity in the data that underlies the reporting.
It's been interesting to see such a wide variety of frameworks in use, yet the underlying mission for the CISO is all the same, regardless of the framework he or she has standardized on:
- How can I have better faith in the security controls that my team uses?
- Where are the remaining gaps?
- What do I need to do to close those gaps?
Sometimes our customers need to prove, whether it's to regulators or to their board, that they have certain controls, that they know where the blind spots are and that they're taking action to eliminate those blind spots. How do they do this? With data. CISOs have to provide evidence, and evidence is just data. So, you want to make sure you have the right data to provide that good evidence (and to stay out of trouble!).
The age-old problem: Connecting the dots to demonstrate compliance
How to connect the data dots to demonstrate compliance? It’s the age-old problem that many CISOs are still working to solve.
The traditional approach that folks used to take (I’m sure some still do) was to output a static data file to something like a CSV spreadsheet. Then they found themselves working with data in different spreadsheets and trying to merge that data into some sort of dashboard with typical images, like pie charts and bar charts, attempting to tell a story. The problem with that traditional approach is that, as soon as you export data to a CSV, the data is now old. If you have a need to do reporting continuously or, if not continuously, then on some recurring basis—perhaps quarterly or yearly—the act of having to wrangle everything together in spreadsheets ends up creating an inaccurate submission at the end of the day.
DataBee: Evidence of continuous compliance for risk management
Comcast’s global CISO, Noopur Davis, knew the challenges of compliance reporting only too well, so she and her team in Comcast Cybersecurity set out to do something about it. Being a highly regulated critical infrastructure company, Comcast has to be accountable for adherence to many regulations and privacy guidelines. To break the laborious spreadsheet cycle, the Comcast team worked long and hard to create a security data fabric platform that could weave together disparate security and business data automatically, quickly, and on a continuous basis, revealing any compliance gaps to fix along the way.
DataBee is modeled on the Comcast security data fabric platform. We have a proprietary ingest/parsing/normalization and correlation technology that allows for any data to be continuously ingested, organized and then triangulated, producing a dataset that is always ready for analysis. On top of our platform, we’ve built role-based reports and dashboard templates, aligned with the frameworks that I mentioned earlier, that draw on that data and render the data into over 30 of the most common controls metrics that a leader of security and risk in a regulated company would want to see today.
The reports that DataBee can produce give customers the ability to toggle between different regulatory frameworks; one framework might require multi-factor authentication (MFA), others might insist on endpoint detection and response (EDR). The ability to toggle between frameworks further aids in the automation of compliance reporting and reduces the amount of manual work that any sort of data reporting team is going to have to do. It also gives the CISO an excellent tool for addressing the demands of so many different bosses! Need a report that “speaks” CEO and to the Board? No problem. Require evidence for regulators and auditors? Sure thing.
DataBee for Continuous Controls and Risk Management (CCRM) supports the most popular security frameworks; provides evidence-backed reporting on compliance and security gaps and how the organization is doing against remediating those gaps; and makes it easier for CISOs to communicate compliance and risk posture all the way up to the Board, using metrics that they value.
There’s no need for CISOs and their teams to spend countless hours and untold anxiety over creating reports that show evidence of compliance to their organization’s security frameworks. Give that burden to DataBee for CCRM, which connects all necessary controls data and automatically weaves it into actionable insights and metrics that matter.
More posts
Discover what DataBee can do for you
