Research

The Myths Of Information Security Reporting

Forrester conducted 51 telephone interviews with senior information security managers and information security vendors about information security metrics.

By Khalid Kark with Laurie M. Orlov and Samuel Bright

Page 2

RECOMMENDATIONS

KEY CONSIDERATIONS FOR REPORTING TO MANAGEMENT

To provide meaningful reports that top executives can understand and use, successful information security managers underscored that it is critical to:

  • Align with corporate goals. Security managers must be able to map their reporting to corporate goals and objectives, making it easy for the executives to grasp the context of the reports and see their value. For example, if the corporate goal is to increase profitability, then linking the increase in system availability to the need for better protection against denial of service will make sense to top executives.

  • Communicate in their language. Senior executives do not care about the number of vulnerabilities you have patched or the amount of spam you have blocked. They want to know how these actions affect their organizations or business. So instead of reporting status, report on the business impact of these measures, and instead of providing operational metrics, give business-centric metrics.

  • Report residual risk. Information security is primarily a business problem, not a technology one. When an organization goes through an assessment and identifies risks, management has the choice of mitigating, transferring, or accepting the risks. It is then the responsibility of the security management to ensure that top execs are periodically made aware of the residual risks  i.e., those that have not been completely mitigated and those that have been accepted as tolerable.

  • Highlight significant trends and events. Management reporting must also include significant events and trends in the information security industry to help senior leaders make strategic security decisions. For example, management must be made aware of the proliferation of mobile devices in the enterprise and the risks that they pose. Any significant events, such as the security breaches in your industry, may also be helpful in crystallizing the security risks for management. The trends and news dont always have to be negative: A new technology, product, or service that may have significant impact on the security industry may also be of interest.

Endnotes

1. Most respondents aspired to provide only quantitative metrics or dashboards to their senior executives.

2. Independent audits can also be used by CISOs for one-off projects if a new technology or system is being introduced or if any architectural decisions are being made in the corporate infrastructure.

3. Security managers who still get this question have to educate their senior executives that it is almost impossible to measure the ROI in security, because the return is not always immediate or apparent. Therefore, a risk-management-based approach is the best route.

$firstKeyword

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors