Empower the CISO, empower the Data Protection Officers

Recently we had a presentation at the anual sernet conference, see video [in German] and the presentation.

Sernet provides the most widely used ISMS tool in Germany. The software is based on an a long open source history. Technologically it uses the Eclipse Rich Client Platform (RCP).

Our contribution was an Add-on for Verinice (see sources on github branch M365-PoC) , which uses the Microsoft Graph API to show the current information from the M365 Compliance Manager and Security Center. This is not new for M365 admins but CISOs see this usually for the first time. The Add-on results from engagements in public as well as private sector. We often see the lack of trancparency, as the data protection officers (DPO) (mostly with legal background) and CISOs are have no timely and comprehensive information about the real vulnerabilities and risks in their own responsibility. This has structural reasons, because CISOs and DPOs should not adhere to the IT departement. So they are by definition at least “one step away” from the facts. There are personal reasons, because CIOs and generally people are head of their “sphere”, they define themselfes as “enablers” for business processes, whereas CISOs and DPOs are often seen as necessary but braking parts. Lastly there is often a lack of comprehensible tools for this kind of people. So they are working on second hand information and with the good will of IT.

As transparency is one of our core values, we find that CISOs and Data Protection Officers have to be strengthend and equipped with better tools and data. Automation is key. CISOs work often with an ISMS tool to control the ISO 27001/GDPR requirements, policies and procedures and the mitigation of risks. This is rather a documenation at certain point in time, hopefully not very long ago. It is the outcome from an ISMS interview between CISO and the system architects, with with a system engineer. Therefore we extended the ISMS tool by queriing the MS Graph API. We could have queried the AWS Security Hub or any other cloud plattform -the principle was important.

That way the CISO has the current recommendations to improve security within his responsibility and kind of a “security fitness score” which engineers find usually in M365 compliance manager.

Sernet and their product verinice is an encouraging story about open source. It is based “on the shoulders of giants”, so there is already a lot mature functionality available and it is possible to further adapt the software to one’s needs.

We as UNeedSecurity support customers who enhance their security automation on their own. This is in our opinion the first recommended way. But, if there are no inside specialists available, we do it for you as part of your threat management contract based on our daily rates.