I’ve written about the topic of infosec dashboards before: one of the emerging challenges in information security is how to effectively communicate what we do every day to why it matters to the business and non-technical executives. As more and more IT Security organizations are reporting into non-technical executives and functions (CFO’s, COO’s, Legal, Compliance) this will become more common.
Our failure to communicate well to non-technical stakeholders can have grave consequences. Consider this excerpt from the 2011 Verizon Data Breach Investigations Report:
“For example, one breach victim had recently purchased a SIEM system, but then let the admin go to save cost. We showed up to find it brimming over with alerts pointing to the breach, which was of great use to us, but not so much for them.”
I don’t know the details, but I can only guess this was a “business” decision that looked more at OpEx than the impact of cutting that specific OpEx. In other words, this was a cost-based decision, and not an impact-, risk-, or value-based decision. Until we can treat people costs as CapEx, this will probably keep happening.
Earlier today, I teamed up with Lindsey Smith (part of Tripwire’s Product Management team) to conduct a webinar on how to better map security tactics to something relevant to users, management, executives (technical and non-technical), and the business itself. If you want to watch the replay, you can find it by clicking on this sentence.
One of the things I’ve been looking for are people who would like to get involved to help “crack the code” so we can create a set of generalized, best known methods for reporting.
I need your help
For this to work well, I need more people to help provide input, data, report samples, etc. Would you like to get involved? This will be targeted, and the specific information will not be shared with others without your explicit consent. It will influence the aggregate recommendations, of course, but it won’t be recognizable / traced back to any specific organization.
If you are up for this (I have quite a few collaborators already, but I need more), here’s how:
If you have any good samples you can share (particularly effective ones), I’d love to see them. If you want to email them to me, you can do so at “dmelancon at tripwire.com,” and if you want to encrypt the message here is a link to my public key. In any case, please include [Dashboard] in the subject line to help me organize them.
If you prefer, you can share your thoughts on this topic using the Comments function below, or you can add to the discussion about dashboards on Quora (you’ll need to create a free account to add any comments).