The right amount of scary

You’ve probably been frustrated with what to include in such a report. What do they want to know and what do they mean by “safe?”

Security metrics and executive reporting are the elusive Holy Grail of security management.  We treat the reporting process as a quest for measurements that will hopefully resonate with our senior business leaders. We report on the number of laptops stolen in our environment, or the number of security incidents we’re aware of.  Sometimes we have a dollar value attached to a loss event, and we dutifully report these statistics, trying to avert the next disaster.

Unfortunately, more often than not, we miss the mark when it comes to reporting our value to an organization. I’ve been guilty of this in past lives — providing what I thought were compelling reasons why we’re not safe and how, with just a little more help, we could be more secure. We have all seen those frighteningly large statistics presented in boardroom settings only to witness the opposite reaction than the one we planned.Upon leaving the meeting, we scramble to collect more information and more statistics because now we have folks more interested in numbers than in the overall merit of our security program.

When we’re given the opportunity to report on the progress of the security program, we should consider some important points before we start downloading firewall logs, or collecting detailed incident reports. One hard lesson I’ve learned is to know to whom you’re going to present, what they’re concerned about, and the business context of the meeting. These three questions should really frame the type of information reported to senior executives and direct your data collection to address these concerns.

Let’s say you’ve been asked to report to senior management on the latest phishing scam and how vulnerable your organization is to that type of threat. I’d start by looking at your current controls like anti-spam, intrusion prevention systems and what types of firewalls you have in place. I’d also review any existing security training or awareness and see if these education programs focus on how phishing scams work and how to identify and avoid a phishing email. I’d check to see if your organization runs anti-phishing exercises, or if the education sessions merely talk about phishing in general. I’d review any previous history of successful phishing incidents by calling the help desk or desktop support teams. I’d do some research about my industry to see if other companies in our industry segment have been targeted by phishing scams. Finally, I’d look at how well my organization protects personal and corporate data.

Weaving this disparate information into a business report is the real art. It’s tricky. You want to provide information that will motivate and educate the listener, but not scare them. Linking phishing attacks to business goals is tough, but what if you linked the impact a phishing attack may have on your R&D team if they released company secrets? Would it damage your organization’s reputation if a list of company email addresses and passwords appeared on the web? Would customers think twice about entrusting their data to your care?

The right tone, context and approach are key to achieving the dual goal of presenting risk information and moving your security program forward. Let’s see where we go with this!
 
Tim McCreight is a managing consultant at Seccuris (www.seccuris.com).