I'd like to get your thoughts on what types of metrics or other information organizations are gathering on the cybersecurity health of their networks and systems. There are probably hundreds if not thousands of these metrics, but what I'm particularly interested in is to find out which are the most critical and which ones are briefed to the senior leadership of your organization to include the Board of Directors.
Some basics would be Patch Status, Inventory controls, phishing/ransom/etc attacks, audit results, audit remediation.
I'm very interested in hearing from folks on this.
Rizwan Ali, CISSP
Tough question. The lazy sounding answer is "it depends", but there are a few factors to consider that don't necessarily have the same priority between organizations. Your mileage may vary.
The audience: IT often views metrics as a report card on their performance (might or might not be true), Finance wants to hear about the value their getting back on your expenditures, the Board wants to know their reputations aren't at risk, the audit committee wants to know you're aware of your issues and are working to address them, etc. While senior leadership in IT can certainly (or better) be able to understand technical details, other audiences will not. Common guidance for those presenting to the Board usually sounds like, "Use bright colors and basic shapes".
Corporate tone / culture: Are they looking for good news, bad news, or a realistic reporting of your current state? Public speaking 101, "Know your audience."
Your standing in the organization: Are you viewed as an alarmist, a pragmatistic, someone with "all sizzle and no steak", etc? Your reputation going in has a big impact on what things will look like when you walk out.
The reason you're presenting in the first place: Is this an update you provide at regular intervals or is it event-driven (an incident at your place or perhaps something pressing in the media that got people nervous)?
Why you're really there: Demonstrating command and control over your space and letting them know you understand you're there to support, protect, and further enable the business. If you market yourself solely as an IT or InfoSec pro, don't be surprised when you're not invited to the "Big Meetings that Matter".
Content to consider:
Start off with some recent "in the news" items and, if true, why they didn't impact your org (e.g. "WannaCry"). If your threat intel, vulnerability management, and incident response programs kept your company out of the news, they should know why.
You want to spend a few minutes on your recent accomplishments and why they matter. Maybe you just rolled out 2FA and require it for all remote and wireless connections. Explain the benefits and use recent examples of the impact suffered by other companies who didn't do this.
Similarly, explain the work you're currently driving and the expected benefits. What problems are you trying to fix? What risks are you managing?
Next, move on to the plans you're developing and explain where you need their support.
Nuts & Bolts (data): What you have available to present and what your audience will care about is something you'll have to figure out on your own, but here are a few things you might consider. Remember, you could be asked to come back next quarter, so consider how you'll present your progress over time:
Summary: Every place is different, but regardless of my audience, I always shoot to address the same key points:
Hope this helps. I just signed on to this "community" for the first time today and am not yet familiar with what posts & responses typically look like. Good luck!
Thanks, this is helpful. I did some research on this recently and came across several briefings that recommend using The Center for Internet Security's CIS Security Metrics document. They lay out 20 metrics which they recommend could be used as a starting point. The document was last updated in Nov 2010, but much of the info in there is probably still applicable.
I don't know if there might be a more current version.
In case others are interested, here are some links to some information I found insightful. Unfortunately a lot of the stuff is based off the same CIS Security Metrics.
What is really missing from a lot of these documents is what stuff gets briefed to senior leadership (and boards) and how is the material visually presented.
Rizwan Ali, CISSP
When putting together a reporting metrics it is important to know your target audience, their interest and motivations. For senior stakeholder, its is pointless feeding them technical metrics or process failure metrics, they will just ask "so what?"
Therefore try and capture the essence of your message, what are you trying to tell them? can you give them this information without technical jargons?
Consider reporting or key risk indicators which are mapped to business objectives and their impact. it however takes time, continuous engagement and several iterations to get it right.