Thursday, September 16, 2021

Information Security - management reporting

As with any department within a sizeable organisation you need to produce reporting to communicate information to the board and senior management. You need to be structured and intentional with the reporting you produce to ensure it is delivering the right outcomes for your department as well as the wider organisation.

Reporting is an important tool that is required in enabling the delivery of a successful Information Security programme. This article provides some guidance on how you can be more successful in the delivery of your own reporting.

Purpose of reporting

Management reports provide a means of communicating information upwards. When producing these reports make sure you are clear about the objectives you are working towards to achieve your goals and are tailoring to the needs of your audience.

Focus on risk / reward and the outcomes for your organisation. This helps aid the understanding of the intended audience and will prompt / enable decision making to stimulate action where it is required. Your audience are the decision makers in the organisation and can positively or negatively influence in the delivery of your programme.

Structure your report

The following sections detail the content that you should consider including within your reporting.

Executive summary

Executives / senior management will receive a multitude of reports / communications. They are typically time short and want to know quickly if there is anything they need to be concerned with. Make sure your summary highlights any increasing risk exposures especially where they require decision making / action from the reader. Be aware that this may be the only portion of your report that they read.

Overview of security controls

The Information Security team are delegated the responsibility for operating security controls to enable the management of business risk. Whilst the team operate the controls the accountability for the risk is with the risk owner who delegates out the operation of those controls.

In larger organisations security controls are likely operated on behalf of many risk owners who are accountable for their department or entity. From a regulators perspective the regulated entity is accountable for their risk even if they have outsourced controls to their parent organisation.

Risk ownership will be with the board or senior management who have sufficient influence in the organisation to be able to manage that risk effectively. This report provides you with an opportunity to inform the risk owners how their controls are performing (through measurement / trending) and provide them with sufficient information to take decisions and drive action where it is required.

What to include Why should it be included? Example/s
Control Scope (KCI) Be clear about what is / isn’t included in the scope of your security controls. If the reader isn’t comfortable that the scope is sufficient this will help to justify increased investment.

It doesn’t matter how effective your security controls are if they only cover 5% of the overall scope!
We provide annual security assurance for 30% of our high security suppliers / vendors.
Control Effectiveness (KCI) New threats emerge and existing ones evolve. This changing threat landscape will require you to adapt or replace your controls to meet with the latest threats faced by your organisation.

The quality of your existing controls may reduce over time. Failure to adequately resource them or invest in their development may lead to them not being fit for purpose.

Call out where controls are no longer adequate for effective management of risk. The controls themselves may still be effective to address the original threat but less effective against new or changed threats.
Our email security tools block 70% of malicious traffic. This has reduced from 90% in the previous quarter.

We are seeing a growing threat in malicious applications targeted at our organisation. There have been 5 instances in the last 3 months. We lack an effective control to mitigate this growing threat.
Control Performance (KPI) Make sure you include details relating to where your KPIs are failing to meet the agreed minimum-security requirements.

You will need to correlate changes in your KPIs with the actual risk to the business.
10% of critical vulnerabilities are not addressed within the standard defined timeline.

15% of staff click on phishing emails.

5% of staff fail to complete their security training.
Security Risk (KRI) Security controls exist to enable organisations to manage business risk within a set risk appetite or at least within a defined risk tolerance.

Failing to manage risk within the overall risk capacity has the potential to threaten the viability of the organisation.

Your objective is to identify increasing risk exposures to enable effective management of the risk.
We have experienced a 10% increase in security incidents.

There has been a 10% increase in data breaches.

We have experienced a 15% increase in spear phishing attacks leading to a 5% increase in malware incidents.

Important to note

An effective control is one that enables management of risk within risk appetite or risk tolerance. This means a partially effective control can be seen as adequate where it is enabling the effective management of the risk even if this isn’t ideal from the perspective of the control operator.

Security events / incidents

Provide an explanation of significant security events and incidents. Incidents represent realised risks and can be a good indicator of new threats and risk trends. These can be internal or external to the organisation such as:

  • Compromise of a supplier network
  • Incident experienced at another organisation
  • Vulnerabilities receiving significant media attention

Where its internal make sure to detail what happened and what has / is being done to manage the incident. Where its external detail the mitigations that exist within the organisation or highlight the need for control improvements to address this new threat.

An incident, even one experienced by a third party can be an opportune time to get the buy in you need to deliver your initiatives!

Security programme / initiatives

Provide an overview of progress towards your objectives or highlight where the team are supporting in the delivery of wider business objectives. This is an opportunity to offer assurance that the Information Security department is adding value and meeting the needs of the organisation.

Where you are experiencing challenges / problems call these out and highlight the actions you are taking as well as detailing the actions required by the reader.

Your programme needs to be forward looking (working towards a desired state) and not just focussed on fighting fires.

Recommended actions

This is an opportunity to detail the actions that are required to deal with incidents, respond to emerging threats, correct any decline in control effectiveness / performance and respond to increasing risk exposure.

The information you provide needs to aid the understanding of the intended audience. This needs to prompt / enable decision making to stimulate action where it is required.

Important factors to consider

These are some key factors that you need to consider when producing your reports:

  • Understand your audience – whilst this may be targeted at the board consider which other stakeholders (such as your regulators) may have visibility of them
  • Make sure you communicate to the right stakeholders
  • Provide clear and concise content that is easy for the intended audience to understand
  • Produce reporting at consistent / set intervals – this is typically produced monthly or quarterly
  • Avoid noise / padding as this just detracts from what is important
  • Report on information that is important to achieving your objectives / goals
  • Supply the right information to enable required decision making
  • Make sure to highlight and recommend required actions that will lead to the required outcomes

Internal benchmarking

Whilst is can be difficult to benchmark against external companies it is possible to do a direct comparison of security indicators across your internal departments or entities. Consider use of gamification within your reporting through the introduction of game elements such as use of points and leader boards / tables.

Gamifying the reporting makes it easy to do internal direct comparisons and provides a level of competition that can help to drive improvements to your overall security posture. Make sure the metrics / indicators you include support in the delivery of your objectives. Avoid focussing resourcing in the wrong areas.

Looking beyond your organisation

Where the information is available consider benchmarking against other companies. This can provide a good measure of the capability / maturity of the organisation’s security programme. Benchmarks can be sourced from:

  • Security rating platforms
  • Security health check assessments
  • Security metrics sourced from your controls

I hope this article proves helpful in making your reporting more effective!

1 comment: