The Myths of Information Security Reporting
- 08 September, 2006 14:47
The two most common complaints that security managers relate are: 1. They don't have senior management support, and 2. it's tough to quantify the costs and benefits of security. Security managers lack senior management support because they are not able to quantify their program's benefits in a language that management understands. The result? A disconnect between the security managers and senior executives within the organization. Security managers today must not only manage and measure the information security program, but they must also translate those measurements into meaningful reports for senior executives. The number of spam messages stopped at the e-mail gateway means nothing unless that metric can relay the resulting increase in the amount of productive hours for employees.
Information security managers often convince themselves that they can't do any better than they are already doing to gain senior management support and thus obtain the funding they need. But their thinking is clouded by five key myths:
Myth No. 1: Executives only care about their own firm's security. Security managers who have been successful in getting buy-in and support from senior management emphasize the importance of benchmarking the organization against others in the same industry or of similar size. The benchmarks don't have to be a 100 percent quantitative. In fact, most managers like to see the quantitative benchmarks augmented by analysis from security experts. These measurements provide good directional information on the industry trends and a good idea of where the company stands in the industry.
Myth No. 2: Stories and anecdotes waste executives' time. This myth cannot be farther from the truth. Most security managers report that their executives are very responsive to war stories and anecdotes about other companies. Security managers can use them to emphasize a concern or communicate a key risk. Instead of explaining the benefits of encryption, it is much more powerful to refer to a story of a company (preferably from the same industry) that did not have encryption. Examples might include a corporate device that was sold on eBay with all of the confidential information in it or a newspaper that missed a publication because its main news server had a virus - the objective being to emphasize a point about spending the resources on antivirus solutions.
Myth No. 3: Executives always want to see numeric evidence. Some security managers only want to give numeric evidence to top executives, but they should not be afraid of also providing qualitative metrics and assessments. Most senior executives rely on their security staff's expertise to protect the corporate assets and therefore trust their judgment. As long as there is some justification for their qualitative assessments - an opinion, for example, on the degree of risk a firm faces - senior management will not object to receiving them. In fact, it may be a good idea to have an executive summary in all reports to senior management with the opinion of the security manager on the status of the firm's security.
Myth No. 4: Executives hate auditors. Auditors generally mean additional work for the organization and endless hours of detailed review documentation. But security auditors are different. Not only do they review the organization's security controls with a fine-tooth comb, which is desirable in this case, but they also provide an independent assessment of the security posture. They can be a great source of information for executives to do informal benchmarking. As one interviewee noted: "Independent assessments are important, not only for security managers to prove their credibility, but also for senior executives to verify that the organization is on the right track and that management has not overlooked any major risks".
Myth No. 5: Executives always want ROI. In reality, very few senior executives actually ask for the return on investment on security spending. It is incumbent upon security managers to educate their management and help them understand that security investments don't always have a return on investment. It is more important to executives to track and report the impact of security products and service on day-to-day business. As a security executive in a government agency observed: "In cyber security, regardless of the return on investment, for certain things, the cost of failure is so high that you have to do them. Therefore, I do risk-benefit-cost analysis, not ROI".
Reporting to Management
To provide meaningful reports that top executives can understand and use, successful information security managers underscored that it is critical to:
* Align with corporate goals. Security managers must be able to map their reporting to corporate goals and objectives, making it easy for the executives to grasp the context of the reports and see their value. For example, if the corporate goal is to increase profitability, then linking the increase in system availability to the need for better protection against denial of service will make sense to top executives.
* Communicate in their language. Senior executives do not care about the number of vulnerabilities you have patched or the amount of spam you have blocked. They want to know how these actions affect their organizations or business. So instead of reporting status, report on the business impact of these measures, and instead of providing operational metrics, give business-centric metrics.
* Report residual risk. Information security is primarily a business problem, not a technology one. When an organization goes through an assessment and identifies risks, management has the choice of mitigating, transferring, or accepting the risks. It is then the responsibility of the security management to ensure that top execs are periodically made aware of the residual risks - that is, those that have not been completely mitigated and those that have been accepted as tolerable.
* Highlight significant trends and events. Management reporting must also include significant events and trends in the information security industry to help senior leaders make strategic security decisions. For example, management must be made aware of the proliferation of mobile devices in the enterprise and the risks that they pose. Any significant events, such as the security breaches in your industry, may also be helpful in crystallizing the security risks for management. The trends and news don't always have to be negative: A new technology, product, or service that may have significant impact on the security industry may also be of interest.