Benefits of Continuous Control Monitoring and Cybersecurity Performance Management

Published On: April 9, 2024Categories: Cybersecurity, Performance Management, Blog

As leaders, sometimes we believe progress is being made, when in fact just the opposite is occurring. With the lack of real time feedback, it becomes a guessing game. This happens when we lack systems in place to detect and respond to our progress as a whole. Requiring security teams to pivot into a reactive mode loses time, increases risk, and frustrates team members based on lack of progress.

When automating your security program, consider the order of priority in tool selection to measure risk, control effectiveness, and overall continuous alignment to business objectives. Oftentimes security teams tend to first focus on measuring security controls without adding context to the business goals, required investments, and desired outcomes.

Both Cybersecurity Performance Management (CPM) and Continuous Control Monitoring (CCM) are critical practices that contribute to an organization’s overall security posture, but they serve very different functions and focus areas. If we use the analogy of measuring speed but not having a clear view of our progress toward a destination, then all we’ve done is collect data. In cybersecurity, examples of collecting data without clear context to our progress take the form of patch levels, quantity of vulnerabilities, time to incident detection and response, and similar operational metrics.

All these examples are equivalent to measuring the motion of security operations and yet can fail to provide insight into overall progress for effective story telling of the security program’s status.

Let’s look at a summary of the differences between CCM and CPM:

Cybersecurity Performance Management (CPM) Summary

Cybersecurity performance management has a broader, strategic focus on aligning cybersecurity performance with business goals. Cybersecurity performance management includes a process or platform that delivers a process to set and monitor performance metrics, aggregated control performance reporting, and strategic planning. Cybersecurity performance management aims to ensure that strategies for your cybersecurity program are effective and align with business objectives. In short, Cybersecurity Performance Management measures progress.

Continuous Control Monitoring (CCM) Summary

Continuous control monitoring is more tactical, focusing on technical control monitoring such as configurations, application or system vulnerabilities, and other technical controls. Continuous control monitoring provides enforcement of security controls on systems where these tools are deployed and provides alerting and, in some cases, automated remediation of control failures or vulnerabilities. In short, continuous control monitoring measures the motion of controls.

As we see in the summary above, continuous control monitoring is much more operational and tactical whereas cybersecurity performance management is more strategic in focus. What we have done at TrustMAPP is use the output from CCM tools and align that output to a customer’s adopted control framework to inform the overall performance of controls and inform priorities, risk, and alignment to business objectives. These activities inform the prioritization of a cybersecurity roadmap, ultimately delivering the context required to describe the progress of the cybersecurity program.

Setting up for Success with Continuous Control Monitoring

For a successful implementation of CCM, consider the following characteristics and activities:

  1. Select controls as your core “framework” to use CCM technology on. This can be a standard control framework such as ISO 27002 or NIST CSF for example. This identified control framework can also be a custom control framework designed for your company’s environment.
  2. For successful continuous control monitoring, consider controls that are used in high frequency across multiple assets. For example, these controls are running or used at least daily or more frequently.
  3. The system that the control runs should generate structured data about the control in question so automated tools can interpret the current setting, configuration, and condition of the control on a targeted system.
  4. The evidence (data generated about the control) can be automatically pulled into third-party software (for example, compliance operations or a Cybersecurity Performance Management platform) and used for quantifying control performance and informing control maturity.
  5. Like incident response, CCM requires the definition of processes to manage alerts, communicate, investigate, and remediate the control weaknesses discovered from active monitoring.

Setting up for Success with Cybersecurity Performance Management

Cybersecurity performance management can be used without other major tool types like GRC, Continuous Control Monitoring, or even vulnerability management tools. Cybersecurity performance management platforms should have the following capabilities.

These capabilities were written by Ed Amoroso of TAG Cyber with intention that these requirements can be used for qualifying Cybersecurity Performance Management solutions in the marketplace.

AUTOMATION REQUIREMENTS FOR SECURITY PERFORMANCE MANAGEMENT PROJECTS
The organization assigns [Assignment: organization-defined personnel or roles] responsibility to deploy and manage the security performance management platform tool used by [Assignment: organization-defined group or individual performing the security performance management] that addresses the following requirements:

  1. WORKFLOW INTEGRATION FOR SECURITY PERFORMANCE MANAGEMENT PROJECTS
    Provides ongoing automated integration via application programming interfaces (APIs) for all security performance management findings into the organization’s preferred workflow management tools for security, including any incident response systems, trouble ticketing systems, and governance, risk, and compliance (GRC) platforms;
  2. ANALYSIS SUPPORT FOR SECURITY PERFORMANCE MANAGEMENT PROJECTS
    Supports ongoing automated analysis of all vulnerability and attack-related findings from the security performance management, including the ability to integrate with the organizational Security Information and Event Management (SIEM) tool, as well as to integrate with any security analytic tools for forensics, threat hunting, or endpoint security detection and response (EDR);
  3. PLANNING TOOLS FOR SECURITY PERFORMANCE MANAGEMENT PROJECTS
    Supports integration of all findings from the security performance management into preferred project management and tracking platforms to ensure timely closure of all actions;
  4. MEDIATION SUPPORT FOR SECURITY PERFORMANCE MANAGEMENT PROJECTS
    Provides a means for tracking, managing, and measuring the effectiveness of any security mediation activities dictated in the findings from the security performance management; and
  5. METRICS TRACKING FOR SECURITY PERFORMANCE MANAGEMENT PROJECTS
    Provides support to define and track preferred metrics (including costs, staff allocation, and time) associated with the security performance management project and any subsequent actions dictated by project findings. This must include the ability to generate summary reports for executives, managers, and operational teams with the ability to flexibly tailor the metrics being reported to the needs of the group reviewing the reports.

Supplemental Guidance: These recommendations are based on the presumed availability of commercial platforms that support automated support for security performance management projects. This is a new area of the commercial cybersecurity community, so buyers must take time to perform the necessary research and source selection activities to locate a suitable provider.

To view the full whitepaper on selecting requirements for a Cybersecurity Performance Management platform from Ed Amoroso in its entirety, please visit: https://trustmapp.com/wp-content/uploads/2024/03/Article-Security-Performance-Management.pdf

Cybersecurity Management

In summary, both Continuous Control Monitoring (CCM) and Cybersecurity Performance Management (CPM) are essential practices for maintaining a robust cybersecurity posture. CPM focuses on managing and optimizing the performance of cybersecurity initiatives at a strategic level, informing priorities for improvement while providing executive-level reporting on key metrics. In contrast, CCM focuses on the ongoing, automated monitoring, and enforcement of security controls at a tactical level.

To take advantage of both types of solutions, choose a performance management platform that can integrate the output of your control monitoring platform. Then rely upon your performance managment platform to inform control maturity and compliance, highlighting priorities, roadmap alignment to business objectives, and forecasting investment for improvement.

Ultimately, combining the two solutions provides ideal control monitoring at the asset level while using this information to inform strategic plans and relative investments for the future success of your cybersecurity program. This combination will give you both measurement of control motion and context to your security program’s progress.