CISO's perspective from the frontlines

Visibility without action is just noise

By yaron
In Blog
March 2, 2024
4 Min Read
V

CISOs are bombarded with pitches from security product vendors, that all sound the same “We give the CISO visibility“. They tout their dashboards, each claiming to offer the most comprehensive, in-depth view of the security landscape, send alerts to the SIEM or give you various reports. But here’s the truth: visibility without actionability is just noise.

The problem with “visibility”

Security teams are flooded with alerts, each one screaming “potential threat!” But are they real threats? False positives? Anomalies that require further investigation? Frankly, we are drowning in a sea of meaningless data and without context, prioritization, and actionable insights, these alerts are just white noise, distracting from the true dangers lurking beneath.

Don’t get me wrong, I understand the importance of detection but showing me a million flashing alerts, myriad of dashboards, and a never-ending stream of logs is like giving a pilot a weather map without instruments or flight controls. It’s overwhelming, distracting, and ultimately useless.

With so much at stake, when security practitioners are flooded with all that data they get overwhelmed, frustrated, and ultimately make bad choices (or worse, no choices at all).

The need for actionability

What we need is actionable intelligence. We don’t need to know everything that’s happening; We need to know what matters, prioritize the threats, highlight the critical vulnerabilities, and the ability to take action.

Here’s what actionable intelligence looks like to me:

  • Data Without Context is Meaningless: Don’t just tell me there’s a threat or vulnerability, tell me why it’s important and what it means in the context of my specific environment and business. Help me see the forest, not just the trees.
  • Prioritization is key: Don’t drown me in alerts each screaming “URGENT!” prioritize them based on risk and potential impact.
  • Automation, not manual drudgery: We can’t sift through mountains of data manually. Automate responses as much as possible, and enable the security team to focus on the complex investigations and strategic decision-making.
  • Integration matters: Our technology and security landscape is a complex ecosystem, not a walled garden. Can your solution integrate seamlessly with our existing tools? Can it share data, or will it just create another silo of isolated information?
  • Actionable insights, not just reports: Don’t just tell us there’s a problem. Tell us how to fix it! Recommend remediation steps, provide guidance and offer clear, actionable plans to address the findings. Don’t leave us hanging, wondering what to do next.

who needs visibility (and Actionability)?

The visibility of most security tools is needed not only by the security team but also by everyone else in the organization to perform their job in a safe and secure manner. For example:

  • The Security team: Need visibility to information for governance purposes, identifying risky systems, detecting and responding to events and incidents, and partnering with the business to mitigate the risks.
  • System owners / administrators: Need visibility to information to maintain their systems’ hygiene (patching, secure configuration, etc.), and they need actionable advice to prioritize the work based on risk.
  • Engineers: Need visibility to information to address defects in their code during the Software Development Lifecycle, and they need actionable advise on how to prioritize remediation and implement secure coding practices.
  • Users: Need visibility to information that will keep them safe while performing their job.

Above all the information needs to provide clear advice about what action the individual is expected to take and in a way that is easy to follow.

Does the CISO need visibility?

Every time I hear vendors say “We give the CISO visibility …”, my immediate reaction is “… so that ….. what? What do you expect the CISO to do with that visibility?” CISOs don’t usually sit in the middle of mission control center, watching endless dashboards, waiting to see when someone is not behaving properly so they can get off their chair and go to beat them over the head with a stick.

The CISO is not the enforcer! The CISO is a business and technology leader who helps guide the business on matters of risks mitigation from cyber security threats. They need strategic intelligence to help them make decisions, take action, and communicate with various stakeholders mostly using metrics and trends. For example:

  • Coverage of security capabilities
  • Change velocity of technical debt
  • Efficacy of incident detection and response
  • Compliance with regulatory requirements
  • Risks, mitigations and trends over time
  • etc.

I will discuss metrics in a different post.

Conclusion

The next time a vendor boasts about their “visibility” solutions, remember: true power lies in actionable intelligence. We need tools that cut through the noise, prioritize threats, and empower decisive action. Don’t just show us the storm; equip us with the radar, instruments, and flight plan to navigate it safely. Our businesses, our data, and our future depend on it.

EmailLinkedInXRedditFacebookStumbleUpon

About the author

yaron

Yaron is a seasoned multi-industry Cyber Security Leader. He is 2x CISO, Research Fellow for the Cloud Security Alliance, Security Tinkerer, Advisory Board Member for several cyber security startups and venture firms, and a Mentor to other CISOs and members of the security community.

View all posts

Read more

By yaron March 2, 2024
CISO's perspective from the frontlines

Topics

Board Books Budget CISO Cybersecurity Defense Incident Response Leadership Life Strategy Vendors

Follow me

Get in touch

Do you want to get in touch? have a question? want me to speak at your event? need advice? please use the form below. No sales messages please!
Please enable JavaScript in your browser to complete this form.