Social Network For Senior Security Executives
It is very important to properly define the right Information Security Metrics for an organization to estimate the security structure and to communicate it efficiently to the Board level executives.There is a growing interest from the Board and the CEO to understand the information security posture of the company. Many of the CISOs I know have been asked by the Board or the CEO to present. I also notice a huge disconnect between the security professionals in terms of what they think the Board want and the reality. From my experience of being a security professional as well as being a Board member (I need to manage my investors), I am attempting to structure my experience.
( Read more: Free Resources For Kickstarting Your IT-GRC Program )
The management is generally uses competitive matrix in business planning exercise. Providing them a clear picture of how your security is in comparison to the peers would be the language which the board/CEO is more comfortable with.
Letting the management know which are the critical risks which could directly impact the business is extremely critical not just for them but also for you. A word of caution: This should not be the long list of technical details but high level understanding of only those things which are business critical.
Please do not deluge the CEO/Board with all the incidents that you have detected. This could create a first time impact but for the long run what matters is the incident that had to be reported to the regulatory agency or the media. This number should ideally be zero.
( Read More: Using 80/20 Rule In Application Security Management )
How much did the business lose due to security incidents? Was there any downtime? These are the business metrics that the Board/CEO really cares about.
If compliance is critical for your business then it is important to report the status. Are there any critical risks or exposures due to non compliance? If so to what extent?
It is important to provide a high level idea of the money you spent, what did you deliver and how much more money you need and why? It should be simple in non technical language.
There could be some key security initiatives that you might want the management to know. It should not be all the projects you are running but the biggest and the most important ones that the business cares about. You should report the status like - if you are on time and budget? any key risks ?etc.