Security metrics and dashboards are on my mind at the moment. It's time to review the effectiveness of my regular reports to the board and work on keeping them effective and, most importantly, relevant.
It's a mistake to think that once you've hit on a decent format you can then sit back and churn out the same report for months and years on end. Reality is that your program has changed, business risks have changed, and your experience has grown. Reports can quickly start to look tired and their effectiveness diminishes over time.
I've been reviewing a number of different resources for some new inspiration. Mike Rothman's essential guide for anyone in security management, The Pragmatic CSO, has some good guidance on the subject and states that we should be including things that are 1) Important to Senior Management and 2) Important to running your business. I also came across a good white paper written by fellow CW blogger David Lacey entitled Top 10 Tangible Measures for Effective Security Management (download it from here). This paper details ten events, issues and indicators that can be physically and technically measured.
Having a decent set of reportable metrics is essential for measuring success. However, like everything else, report formats are subject to atrophy and need to be refreshed from time to time.
Comments (1)
I agree that relevant and efficient reporting is important, however we must be wary not to overreport..... which can easily happen. This can have a counter effect, and takes security staff from "on the job" tasks, which are equally important.
Sometimes, time can easily be eaten up in an attempt to create the utopian report, which of course never exists.
I think vendors have now realised this fact, and there has been a huge improvement in the quality of automated dashboard software being released. If used wisely, this could free up valuable time the poor security engineer would usually use, manually creating one.
Posted by Stef Treloar | August 17, 2008 9:52 PM
Posted on August 17, 2008 21:52