Skip to content ↓ | Skip to navigation ↓

I’ve written about the topic of infosec dashboards before: one of the emerging challenges in information security is how to effectively communicate what we do every day to why it matters to the business and non-technical executives.  As more and more IT Security organizations are reporting into non-technical executives and functions (CFO’s, COO’s, Legal, Compliance) this will become more common.

Our failure to communicate well to non-technical stakeholders can have grave consequences.  Consider this excerpt from the 2011 Verizon Data Breach Investigations Report:

“For example, one breach victim had recently purchased a SIEM system, but then let the admin go to save cost. We showed up to find it brimming over with alerts pointing to the breach, which was of great use to us, but not so much for them.”

I don’t know the details, but I can only guess this was a “business” decision that looked more at OpEx than the impact of cutting that specific OpEx.  In other words, this was a cost-based decision, and not an impact-, risk-, or value-based decision.  Until we can treat people costs as CapEx, this will probably keep happening.

Earlier today, I teamed up with Lindsey Smith (part of Tripwire’s Product Management team) to conduct a webinar on how to better map security tactics to something relevant to users, management, executives (technical and non-technical), and the business itself.  If you want to watch the replay, you can find it by clicking on this sentence.

One of the things I’ve been looking for are people who would like to get involved to help “crack the code” so we can create a set of generalized, best known methods for reporting.

I need your help

For this to work well, I need more people to help provide input, data, report samples, etc.  Would you like to get involved?  This will be targeted, and the specific information will not be shared with others without your explicit consent.  It will influence the aggregate recommendations, of course, but it won’t be recognizable / traced back to any specific organization.

If you are up for this (I have quite a few collaborators already, but I need more), here’s how:

If you have any good samples you can share (particularly effective ones), I’d love to see them.  If you want to email them to me, you can do so at “dmelancon at,” and if you want to encrypt the message here is a link to my public key.  In any case, please include [Dashboard] in the subject line to help me organize them.

If you prefer, you can share your thoughts on this topic using the Comments function below, or you can add to the discussion about dashboards on Quora (you’ll need to create a free account to add any comments).

— @thatdwayne

Tripwire University
  • You make some great points, but I think the biggest failure of infosec is in the inability to engage those we're trying to convince. I use the term "engage" specifically because it implies authentic, respectful, connection on an emotional level. As IT professionals, we focus most of our energy trying to convince people of intellectual benefits, forgetting that we're dealing with emotional beings often motivated by perceived punishments and rewards. By cultivating some of the core competencies of Emotional Intelligence and treating all members of the business as equal stakeholders in the process, we can create a more collaborative environment, which will help us achieve our goals of protecting and serving the enterprise.

  • @twitter-369107103:disqus That is a great observation.  One of the dynamics I'm seeing is that we need to find ways to create a persistent dialog between IT and other parts of the business.  I think some of the things happening in the world today are beginning to help – for example, when a CFO or a Sales manager sees a news item in the Wall Street Journal, USA Today, or the nightly news, it becomes a "teachable moment."

    If we can find ways to use visible events as a way to have a discussion about, "Let's talk about how we could be impacted by an event like that, and some steps we can take to reduce our risk," things begin to move toward the emotional connection you describe.  I find that people want to do what's best in most cases, but they may not have the perspective, context, experience, expertise, etc. to recognize what needs to be done.

    Thanks for making that point!