One of the key challenges in the every day’s world of a CSO is reporting. How and especially what do we report to the board and how do we make it relevant to the people there? We all know that finance has a fairly clear and standardized reporting scheme as the subject matured over time (and probably is easier to measure). When it comes to security, we typically really struggle and this is less about how to report but what to report. In a business world, metrics are relevant, metrics are everything. But in a security world we struggle to measure the effectiveness of our security and our security programs.
If you look at the metrics which are reported, ask yourself, which decision you cannot take if you do not have that metric available. Then remove all the metrics which remain, which typically is a very short list. Information like number of spam mails blocked or number of incidents are really irrelevant to run a security program.
I would love to be able to present a silver bullet here â€“ I do not have one. But there is an initiative, which might be interesting to keep an eye on: Why a CISO’s job has never been more public or chaotic
- CISOs are ‘ignoring the writing on the wall,’ says analyst (itworldcanada.com)
- Why a CISO’s job has never been more public or chaotic (zdnet.com)
- How CISOs can communicate risk to businesses (pcadvisor.co.uk)