CSO Analyst Reports
By Khalid Kark with Laurie M. Orlov and Samuel Bright

The two most common complaints that security managers relate are: 1) They don’t have senior management support, and 2) it’s tough to quantify the costs and benefits of security. Security managers lack senior management support because they are not able to quantify their program’s benefits in a language that management understands. The result? A disconnect between the security managers and senior executives within the organization. Security managers today must not only manage and measure the information security program, but they must also translate those measurements into meaningful reports for senior executives. The number of spam messages stopped at the email gateway means nothing unless that metric can relay the resulting increase in the amount of productive hours for employees.

1. Myth No. 1: Executives only care about their own firm’s security.
   
2. Myth No. 2: Stories and anecdotes waste executives’ time.
   
3. Myth No. 3: Executives always want to see numeric evidence.
   
4. Myth No. 4: Executives hate auditors.
   
5. Myth No. 5: Executives always want ROI.

KEY CONSIDERATIONS FOR REPORTING TO MANAGEMENT

To provide meaningful reports that top executives can understand and use, successful information security managers underscored that it is critical to:

Align with corporate goals. Security managers must be able to map their reporting to corporate goals and objectives, making it easy for the executives to grasp the context of the reports and see their value. For example, if the corporate goal is to increase profitability, then linking the increase in system availability to the need for better protection against denial of service will make sense to top executives.

Communicate in their language. Senior executives do not care about the number of vulnerabilities you have patched or the amount of spam you have blocked. They want to know how these actions affect their organizations or business. So instead of reporting status, report on the business impact of these measures, and instead of providing operational metrics, give business-centric metrics.

Report residual risk. Information security is primarily a business problem, not a technology one. When an organization goes through an assessment and identifies risks, management has the choice of mitigating, transferring, or accepting the risks. It is then the responsibility of the security management to ensure that top execs are periodically made aware of the residual risks — i.e., those that have not been completely mitigated and those that have been accepted as tolerable.

Highlight significant trends and events. Management reporting must also include significant events and trends in the information security industry to help senior leaders make strategic security decisions. For example, management must be made aware of the proliferation of mobile devices in the enterprise and the risks that they pose. Any significant events, such as the security breaches in your industry, may also be helpful in crystallizing the security risks for management. The trends and news don’t always have to be negative: A new technology, product, or service that may have significant impact on the security industry may also be of interest.

Read the complete article: CSO Analyst Reports