The Myths Of Information Security Reporting

RESEARCH CATALYST

Forrester conducted 51 telephone interviews with senior information security managers and information security vendors about information security metrics.

TO SUCCEED, INFORMATION SECURITY MANAGERS NEED TO DISPEL MYTHS

Information security managers often convince themselves that they cant do any better than they are already doing to gain senior management support and thus obtain the funding they need. But their thinking is clouded by five key myths:

• Myth No. 1: Executives only care about their own firms security. Security managers who have been successful in getting buy-in and support from senior management emphasize the importance of benchmarking the organization against others in the same industry or of similar size. The benchmarks dont have to be a 100% quantitative. In fact, most managers like to see the quantitative benchmarks augmented by analysis from security experts. These measurements provide good directional information on the industry trends and a good idea of where the company stands in the industry.
• Myth No. 2: Stories and anecdotes waste executives time. This myth cannot be farther from the truth. Most security managers report that their executives are very responsive to war stories and anecdotes about other companies. Security managers can use them to emphasize a concern or communicate a key risk. Instead of explaining the benefits of encryption, it is much more powerful to refer to a story of a company (preferably from the same industry) that did not have encryption. Examples might include a corporate device that was sold on eBay with all of the confidential information in it or a newspaper that missed a publication because its main news server had a virus the objective being to emphasize a point about spending the resources on antivirus solutions.
• Myth No. 3: Executives always want to see numeric evidence. Some security managers only want to give numeric evidence to top executives, but they should not be afraid of also providing qualitative metrics and assessments.¹ Most senior executives rely on their security staffs expertise to protect the corporate assets and therefore trust their judgment. As long as there is some justification for their qualitative assessments an opinion, for example, on the degree of risk a firm faces senior management will not object to receiving them. In fact, it may be a good idea to have an executive summary in all reports to senior management with the opinion of the security manager on the status of the firms security.
• Myth No. 4: Executives hate auditors. Auditors generally mean additional work for the organization and endless hours of detailed review documentation. But security auditors are different. Not only do they review the organizations security controls with a fine-tooth comb, which is desirable in this case, but they also provide an independent assessment of the security posture.² They can be a great source of information for executives to do informal benchmarking. As one interviewee noted, Independent assessments are important, not only for security managers to prove their credibility, but also for senior executives to verify that the organization is on the right track and that management has not overlooked any major risks.
• Myth No. 5: Executives always want ROI. In reality, very few senior executives actually ask for the return on investment on security spending. It is incumbent upon security managers to educate their management and help them understand that security investments dont always have a return on investment.³ It is more important to executives to track and report the impact of security products and service on day-to-day business. As a security executive in a government agency observed: In cyber security, regardless of the return on investment, for certain things, the cost of failure is so high that you have to do them. Therefore, I do risk-benefit-cost analysis, not ROI.

RECOMMENDATIONS

KEY CONSIDERATIONS FOR REPORTING TO MANAGEMENT

To provide meaningful reports that top executives can understand and use, successful information security managers underscored that it is critical to:

• Align with corporate goals. Security managers must be able to map their reporting to corporate goals and objectives, making it easy for the executives to grasp the context of the reports and see their value. For example, if the corporate goal is to increase profitability, then linking the increase in system availability to the need for better protection against denial of service will make sense to top executives.
• Communicate in their language. Senior executives do not care about the number of vulnerabilities you have patched or the amount of spam you have blocked. They want to know how these actions affect their organizations or business. So instead of reporting status, report on the business impact of these measures, and instead of providing operational metrics, give business-centric metrics.
• Report residual risk. Information security is primarily a business problem, not a technology one. When an organization goes through an assessment and identifies risks, management has the choice of mitigating, transferring, or accepting the risks. It is then the responsibility of the security management to ensure that top execs are periodically made aware of the residual risks i.e., those that have not been completely mitigated and those that have been accepted as tolerable.
• Highlight significant trends and events. Management reporting must also include significant events and trends in the information security industry to help senior leaders make strategic security decisions. For example, management must be made aware of the proliferation of mobile devices in the enterprise and the risks that they pose. Any significant events, such as the security breaches in your industry, may also be helpful in crystallizing the security risks for management. The trends and news dont always have to be negative: A new technology, product, or service that may have significant impact on the security industry may also be of interest.

Endnotes

1. Most respondents aspired to provide only quantitative metrics or dashboards to their senior executives.

2. Independent audits can also be used by CISOs for one-off projects if a new technology or system is being introduced or if any architectural decisions are being made in the corporate infrastructure.

3. Security managers who still get this question have to educate their senior executives that it is almost impossible to measure the ROI in security, because the return is not always immediate or apparent. Therefore, a risk-management-based approach is the best route.