Security metrics and dashboards are on my mind at the moment. It’s time to review the effectiveness of my regular reports to the board and work on keeping them effective and, most importantly, relevant.
It’s a mistake to think that once you’ve hit on a decent format you can then sit back and churn out the same report for months and years on end. Reality is that your program has changed, business risks have changed, and your experience has grown. Reports can quickly start to look tired and their effectiveness diminishes over time.
I’ve been reviewing a number of different resources for some new inspiration. Mike Rothman’s essential guide for anyone in security management, The Pragmatic CSO, has some good guidance on the subject and states that we should be including things that are 1) Important to Senior Management and 2) Important to running your business. I also came across a good white paper written by fellow CW blogger David Lacey entitled Top 10 Tangible Measures for Effective Security Management (download it from here). This paper details ten events, issues and indicators that can be physically and technically measured.
Having a decent set of reportable metrics is essential for measuring success. However, like everything else, report formats are subject to atrophy and need to be refreshed from time to time.