$BlogRSDUrl$>
linking INTEGRITYIntegrity - use of values or principles to guide action in the situation at hand.Below are links and discussion related to the values of freedom, hope, trust, privacy, responsibility, safety, and well-being, within business and government situations arising in the areas of security, privacy, technology, corporate governance, sustainability, and CSR. The Myths Of Information Security Reporting, 7.6.06
CSO Analyst Reports
By Khalid Kark with Laurie M. Orlov and Samuel Bright The two most common complaints that security managers relate are: 1) They don’t have senior management support, and 2) it’s tough to quantify the costs and benefits of security. Security managers lack senior management support because they are not able to quantify their program’s benefits in a language that management understands. The result? A disconnect between the security managers and senior executives within the organization. Security managers today must not only manage and measure the information security program, but they must also translate those measurements into meaningful reports for senior executives. The number of spam messages stopped at the email gateway means nothing unless that metric can relay the resulting increase in the amount of productive hours for employees.
KEY CONSIDERATIONS FOR REPORTING TO MANAGEMENT To provide meaningful reports that top executives can understand and use, successful information security managers underscored that it is critical to: Align with corporate goals. Security managers must be able to map their reporting to corporate goals and objectives, making it easy for the executives to grasp the context of the reports and see their value. For example, if the corporate goal is to increase profitability, then linking the increase in system availability to the need for better protection against denial of service will make sense to top executives. Communicate in their language. Senior executives do not care about the number of vulnerabilities you have patched or the amount of spam you have blocked. They want to know how these actions affect their organizations or business. So instead of reporting status, report on the business impact of these measures, and instead of providing operational metrics, give business-centric metrics. Report residual risk. Information security is primarily a business problem, not a technology one. When an organization goes through an assessment and identifies risks, management has the choice of mitigating, transferring, or accepting the risks. It is then the responsibility of the security management to ensure that top execs are periodically made aware of the residual risks — i.e., those that have not been completely mitigated and those that have been accepted as tolerable. Highlight significant trends and events. Management reporting must also include significant events and trends in the information security industry to help senior leaders make strategic security decisions. For example, management must be made aware of the proliferation of mobile devices in the enterprise and the risks that they pose. Any significant events, such as the security breaches in your industry, may also be helpful in crystallizing the security risks for management. The trends and news don’t always have to be negative: A new technology, product, or service that may have significant impact on the security industry may also be of interest. Read the complete article: CSO Analyst Reports
CommentsPost a Comment
Archives07.03 08.03 09.03 10.03 11.03 12.03 01.04 02.04 03.04 04.04 05.04 06.04 07.04 08.04 09.04 10.04 11.04 12.04 01.05 02.05 03.05 04.05 05.05 06.05 07.05 08.05 09.05 10.05 11.05 12.05 01.06 02.06 03.06 04.06 05.06 06.06 08.06 09.06 10.06 11.06 01.07 02.07 03.07 04.07 07.07 08.07 09.07 10.07 05.08 06.08 |