The interests of each stakeholder will be different, depending on their role in the organization. The ultimate consumer of your security reporting information and first level of reporting should be the Board of Directors, who want to know that security dollars are being spent wisely, and that security systems are keeping the company in compliance with applicable laws.
The business, IT and operational management group will want to see information on the state of security as it relates to the corporate area for which they are responsible. They will want to know if the organization is preventing incidents and resolving vulnerabilities, and what incidents occurred in the last reporting period and how they were resolved. They will also want to know if the process is being modified to ensure an incident will not happen again. If your company does not already have a security best practices model in place, a good way to handle this layer of reporting is to align the information with a commonly accepted best practice.
The focus and work in the first two areas is the mapping of the security related questions to the supporting metrics. The ultimate goal is to be able to drill down to the appropriate level into the data supporting the answer to a security question.
The third and most granular area of a security reporting system is the detailed information level. This is the area where most of the effort is spent, and where the number of viruses, attacks, firewall issues, vulnerabilities, etc. is collected. The main prerequisite is that the data points must be readily obtainable, and the process to which they belong must be measurable. If you must get the data from other departments, establish firm service level agreements for the delivery of the data to make sure the security reports are not delayed.
In the end, if you want to effectively communicate your security message to the corporation and its management, be sure and talk in language they understand. The results will be evident, and support for security initiatives will be easier to obtain if you have done the proper system design work up front.
30 SECONDS ON...
While a security system provides many security data points, Gene Fredriksen, CSO, Raymond James Financial, says it may not provide the needed "information" on the state of the information security systems in your environment.
Fredriksen advises that enterprises in need of heightened security take the top down approach — start with the end in mind, and design reporting systems to provide answers to business-focused security questions.
The results gathered from effectively designed information security reporting systems can help enterprises by providing useful information regarding the allocation of information security resources, says Fredriksen.
The information gathered from information security reporting systems, he adds, may also prove to be the foundation for the justification of additional security resources where it makes sense to the business.