Blog Post
New CRQ Feature: CIS IG Level Controls
January 16, 2023
Incorporating Critical Security Controls (CIS) Implementation Group (IG) Level Controls
Two years ago, Kovrr took a unique approach to cyber risk modeling of financial quantification (FQ) and expanded to the enterprise market. After a long time of quantifying risks of portfolios for global insurers and reinsurers, Kovrr was able to build expertise around quantifying risk with specific expertise in acquiring high-quality data to feed our models and fast time to value using automation.
The data from the insurance partners enabled us to avoid the subjective point of view often pushed into models based on personal experience. The automation aspect ensured that CISOs would not spend endless hours filling out questionnaires about their company and the possible cyber risks.
To lower the onboarding barrier for CISOs, Kovrr created a simple questionnaire with a short list of general questions about the modeled company. Questions on the company's security controls were made binary, for example, whether the company has a specific security control in place or not. This product team decision ultimately allowed accurate and extremely fast quantification.
When discussing security controls, every conversation we had with our clients raised the need for actionable mitigation recommendations for those controls. Most POCs finished with, "WOW, this is an amazing ability, but what should I do with this information? How can I reduce the risk?"
With the number of user requests for this feature, we just could not ignore it (I will elaborate on how we keep track of user and prospect requests in my next blog post). So the next step of Kovrr’s strategic tools for CISOs began. We started the "mitigation initiative," and spent weeks researching how we could provide it in our platform.
We then joined the CIS controls community which is one of the biggest communities for the standard of security controls and created close relationships to have the most accurate data on impacts on company risk based on control implementation. Next, Kovrr began the challenging journey which included weeks of validating and calibrating our solution.
Adding risk mitigation introduced a new dilemma, we needed to double the number of inputs, which subsequently meant users would add more subjective data and spend additional time doing that. To overcome this, we found a solution that even deepens both of the values - based on the company's certificates and industry, we have been able to create base assumptions for each of the controls.
If a client was unsure or didn’t want to spend the additional time, they could mark an “I don’t know” option, which would automatically add an input for each control based on benchmark data allowing the user to seamlessly continue their quantification process.
Finally, after weeks of work, we had our first version of the control recommendations feature out - and the market response was extremely positive. We saw consistent use by clients in our analytics and our sales team saw it was often a game-changer in deal closings.
Mission accomplished...or so we thought.
The story of the mitigations initiative didn't stop here. As users adapted the feature, it became clear that in order to truly prioritize cyber projects, the controls would need to be very detailed for certain groups of the organization and less for other groups of the organizations.
This comes from the inherent concept that the maturity of security controls across an entire organization can differ based on department, geography, etc. Users requested more granularity and options to carve out a more accurate picture of the state of the controls in their company.
While it would be great to say “ask and you shall receive,” Kovrr again found itself in the same dilemma as before. We needed to keep true to our goal of barrier-less quantification, however more inputs could create more complexity.
How CIS IG Level Controls Contribute to More Accurate Quantification Tesults
This is where we put a crucial focus on user experience. We needed to make sure we weren’t sweeping users into the painstaking data collection process performed by consulting firms. The user experience was built to offer flexibility.
By simultaneously supporting both a company wide control input and also asset group control inputs, we were able to add granularity with minimum complexity and easily allow users to decide when they wanted to embellish their input. The output (recommendations) also reflect the chosen granularity input.
Today Kovrr is proud to have state of the art recommendation feature, providing users the ability to go from statistical to tactical. But Rome was not built in a day. We needed several iterations to validate each step to make sure we were moving in the right direction. We’ll keep you updated on our next upgrade to the feature!