I was having a discussion with my wife about one of my “hobbies” of watching How It’s Made, Mythbusters, and similar shows and she asked me why I watched these shows since I’m never going to build any of the things they share on these shows.
For me, it’s easy – besides my natural, genuine curiosity, I am always filing away models, processes, and applications of items to help expand how I think about and solve problems.
It’s true that a lot of what I learn will never be actionable, but I feel like I need to feed my head with that kind of data. The distinction for me is that I consider these shows to be “optional input” and I don’t worry if I don’t see them for weeks at a time.
That got me thinking about some of the reports, metrics, and tracking indicators I see people sharing as part of info sec reporting and metrics:
- Is the data we report on ever being looked at by our audience?
- Is it providing any kind of impetus for action or decisions?
- Is it expanding how people think about the problem space?
Recently, I’ve asked this question about the reporting data in my organization, as well as some of the organizations I’m working with. The most common answers are, “I’m not sure,” and “I hope so.”
When I talk about dropping the data from the regular reporting package, the most common answer is “I don’t want to do that – we might need it later.” Fair enough, but I don’t think that is a good rationale.
Knowing is not the same as sharing
While it’s true that you might need the data, collecting the data is not the same as spending time reporting on it, or forcing other people to view the data every week, month, etc. After all, if you’ve presented your audience with non-actionable data consistently over a long period of time, I bet many of them have already filtered it out in their brains — the human brain is pretty good at ignoring things that don’t represent pain, pleasure, or danger.
Another factor is momentum, or fondness for the status quo. If we’ve “always reported on that data,” then we’re often hesitant to stop reporting on it. The reports get a bit longer periodically, but almost never get shorter. The longer they are, the more our brains will try to filter out non-essential data.
Option 1: How about an experiment?
To move the needle in the other direction, consider an experiment with your reports. Pick one set of data from your reports and simply leave it out of the next report you publish. Wait a month.
If nobody has asked about the missing data (in a meaningful way that would indicate they were using it for real work), don’t publish that data any more (if you really feel paranoid about this, continue to gather the raw data that feeds the indicator – just don’t process it and put it into your report).
Over time you will probably shorten your periodic reports, you might save some time, and you’ll be removing clutter from the lives of others in your organization. You may also discover which data is truly valuable (actionable) to your organization.
Option 2: How about a democracy?
I’ve seen another cool approach used by one of the financial services companies I visited recently: They share their reports via a corporate intranet site, and use an App-store model.
Each report has a “Rating” systems of 1 to 5 stars, along with a place for people to provide feedback about what they like and don’t like about the report. I love this approach.
If you try either of these, let me know how it goes. If you have other ways to filter out non-actionable data and reduce report clutter, please share.
- Leveraging the Windows Registry in Digital Forensics Investigations
- Digital Forensics and Incident Response
- Tales From the Crypto: Case of the Malicious IT Contractor
- Scot Terban – AKA Krypt3ia – on Attribution Shmatribution
Download the IT Security Budget Roundup for CIOs and CISOs
Each year, numerous industry research reports provide budget forecasting on expected spending for worldwide IT. Some add a focus within specific industries as well as technologies, but very few focus strictly on IT security.
Bringing a few of the most notable reports together provides a valuable roundup of information for IT operations, including forecasts of IT security spending.
This may be a time-saver for busy CIOs and CISOs and their teams who are seeking data to compare, support and defend possibly thin IT security budgets, or a needed increase to meet business priorities.
This report is organized to review what the research shows, business priorities and trends to tap, and strategies on how to defend your numbers.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has also compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
This publication is designed to assist executives by providing guidance for implementing broad baseline technical controls that are required to ensure a robust network security posture.
The author, a security and compliance architect, examined each of the Controls and has distilled key takeaways and areas of improvement. At the end of each section in the e-book, you’ll find a link to the fully annotated complete text of the Control.
Download your free copy of The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities today.
Definitive Guide to Attack Surface Analytics
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
* Show how security activities are enabling the business
* Balance security risk with business needs
* Continuously improve your extended enterprise security posture