Those tools are a natural fit for evolving risk-management frameworks such as the US government's Cybersecurity Framework (CSF) and Risk Management Framework (RMF), which have been established to help US government agencies better quantify and manage their risk from cybersecurity and other forms of operational risk.
The CSF, for example, is among the processes to be discussed at GSRMS and outlines a seven-step process by which organisations can develop and iteratively improve a cybersecurity framework. By helping organisations create a Current Profile and a Target Profile, the policy says, comparing the gaps between the two "enables the organization to make informed decisions about cybersecurity activities, supports risk management, and enables the organization to perform cost-effective, targeted improvements" that are encompassed within formal Action Plans.
Visibility of those activities is crucial to delivering on CSF-driven Action Plans, with continuous monitoring capabilities positioned as a core enabler of the Detect element of CSF's five Framework Core Functions - which include Identify, Protect, Detect, Respond, and Recover.
The Detect function, the standard says, "enables timely discovery of cybersecurity events" - and this is where board-level involvement with cybersecurity is truly put to the test. After all, if security practitioners lack the visibility to meet requirements around timely discovery of cybersecurity events, they also lack the ability to keep high-level business executives apprised of the organisation's real risk profile - and it's only a matter of time until this omission comes back to bite all concerned.
While surveys show greater executive recognition of the security of cloud platforms, the workloads they carry each have their own vulnerabilities that must be managed by the organisations running those workloads. And this, says Farquhar, underscores the need for a comprehensive visibility framework that supports CSF and other risk-management processes.
"Workloads need to be deployed with proper attention to privacy and compliance," he explains. "By moving workloads to the cloud service provider you haven't lost responsibility for that workload. What you have lost, if you leave it, is the visibility you need to properly deal with that responsibility. And if a business requires this visibility, it needs to be selecting the CSPs that offer what they need."
Armed with the right visibility and the right tools for evaluating overall information-security risk, CISOs are better equipped than ever to communicate the changing risk profile of the organisation to an ever more-receptive executive audience.
Better visibility and metrics will also allow the creation of key risk indicators (KRIs) - dashboard-style measures of risk exposure that, as Gartner vice president and distinguished analyst Paul Proctor will outline at the GRSMS, allow the establishment of frameworks for building "business-aligned security and technology risk metrics".
Sign up for CIO Asia eNewsletters.