This is an excerpt from our continuous assurance whitepaper.
Every business is different. While there is certainly commonality in some of the platforms, technologies and applications in use, and re-usable components arise from this, continuous assurance is not something that can be bought ‘off the shelf’.
Implementing a continuous assurance capability involves a collaborative effort between multiple teams and skill sets: the data team pulls the data together, the cyber team defines the metrics to accurately reflect the security state, and the digital team builds the dashboards and visualisations to bring the resulting models to life.
What actions are required?
- Before a single piece of code is written, boards needs to decide what they want the reporting system to shine a light on. For example, ask yourself, are we meeting our own internal security and compliance standards, or is there a regulatory requirement we need to meet? Are we doing a good job or do we need to know exactly where we’re not doing so well? Where do we need additional funding to address any failings?
- Once the board has clarity on the strategic purpose of the system, it needs to decide how the data is aggregated. Measuring one metric might allow a simplistic single data point for top-line comparisons, but a data-rich, holistic report is a powerful way to see the big picture.
- Thought should then be given to how attribution will occur, and how the dashboard will be broken down by individual business units, departments, applications, application criticality and so on.
Bringing the data together
- Organise source data from individual PCs, anti-malware software, endpoint controls, and network controls to view security controls by cyber, data, digital and cloud.
- More from manual analysis to automated analysis.
- Create a dashboard carrying all key information, including automatically generated security score. This score can be viewed in real-time, as well as compared historically.
- If, for example, cyber security is worse than it was six months ago or six days ago, it will be obvious.
- Option to introduce automation and leverage Generative AI to review and analyse self-assessment reports at scale.
- Sourcing data on a real-time or near-real-time basis means you can drill down and see where the actual problem is.
- No subjective input from someone tasked with updating slides once every twelve months.
- A continuous asssurance model gives genuine granularity, and allows the board and management to view security outcomes at both business unit and system level.
”Much of the problem being solved by a continuous assurance approach is not, in fact, a 'cyber security' problem. Rather, it's a data problem, as well as a visualisation problem.
If it is a truly complicated multi-step process with an uncertain decision path, that requires a lot of assumed information and autonomous decision making, then yes, an agent might be the right approach. Throughout the week, in both conference sessions and on the expo floor, customers were talking through their Agent use cases. However, the majority of these use cases fell within three brackets:
Cyber security professionals are, on the whole, incredible at what they do, but their skillsets don’t usually extend to being masters of communication. This is, however, something that professional communicators in a digital team are able to do.
Having a cyber partner, such as Mantel, that has a deep expertise and track record of bringing the cyber arm of the business together with the digital communication arm, is the key to unlocking true reporting excellence via real-time dashboards.
Continuous assurance with enterprise reporting solves the problem of making cyber security data more usable, from the perspectives of the executives who are consuming it. It also increases confidence in the data being presented, and allows teams to see how they can contribute to the overall security and compliance of the organisation.
In short, it’s being able to check an organisation’s cyber security at any moment, not just once a month.
I have no doubt that Agents will play a huge part in the future of AI, and we are already seeing innovative companies across the world invest in this technology and automate both simple and highly complicated processes. However, it’s good to remember that agents are merely the latest technology in a long line of AI technologies, and it’s more important to select the right technology for the use case rather than opting for the biggest weapon in the arsenal for every task.
