Research

The Myths Of Information Security Reporting

Forrester conducted 51 telephone interviews with senior information security managers and information security vendors about information security metrics.

By Khalid Kark with Laurie M. Orlov and Samuel Bright

April 10, 2006CSORESEARCH CATALYST

Forrester conducted 51 telephone interviews with senior information security managers and information security vendors about information security metrics.

TO SUCCEED, INFORMATION SECURITY MANAGERS NEED TO DISPEL MYTHS

Information security managers often convince themselves that they cant do any better than they are already doing to gain senior management support and thus obtain the funding they need. But their thinking is clouded by five key myths:

  • Myth No. 1: Executives only care about their own firms security. Security managers who have been successful in getting buy-in and support from senior management emphasize the importance of benchmarking the organization against others in the same industry or of similar size. The benchmarks dont have to be a 100% quantitative. In fact, most managers like to see the quantitative benchmarks augmented by analysis from security experts. These measurements provide good directional information on the industry trends and a good idea of where the company stands in the industry.

  • Myth No. 2: Stories and anecdotes waste executives time. This myth cannot be farther from the truth. Most security managers report that their executives are very responsive to war stories and anecdotes about other companies. Security managers can use them to emphasize a concern or communicate a key risk. Instead of explaining the benefits of encryption, it is much more powerful to refer to a story of a company (preferably from the same industry) that did not have encryption. Examples might include a corporate device that was sold on eBay with all of the confidential information in it or a newspaper that missed a publication because its main news server had a virus  the objective being to emphasize a point about spending the resources on antivirus solutions.

  • Myth No. 3: Executives always want to see numeric evidence. Some security managers only want to give numeric evidence to top executives, but they should not be afraid of also providing qualitative metrics and assessments.1 Most senior executives rely on their security staffs expertise to protect the corporate assets and therefore trust their judgment. As long as there is some justification for their qualitative assessments  an opinion, for example, on the degree of risk a firm faces  senior management will not object to receiving them. In fact, it may be a good idea to have an executive summary in all reports to senior management with the opinion of the security manager on the status of the firms security.

  • Myth No. 4: Executives hate auditors. Auditors generally mean additional work for the organization and endless hours of detailed review documentation. But security auditors are different. Not only do they review the organizations security controls with a fine-tooth comb, which is desirable in this case, but they also provide an independent assessment of the security posture.2 They can be a great source of information for executives to do informal benchmarking. As one interviewee noted, Independent assessments are important, not only for security managers to prove their credibility, but also for senior executives to verify that the organization is on the right track and that management has not overlooked any major risks.

  • Myth No. 5: Executives always want ROI. In reality, very few senior executives actually ask for the return on investment on security spending. It is incumbent upon security managers to educate their management and help them understand that security investments dont always have a return on investment.3 It is more important to executives to track and report the impact of security products and service on day-to-day business. As a security executive in a government agency observed: In cyber security, regardless of the return on investment, for certain things, the cost of failure is so high that you have to do them. Therefore, I do risk-benefit-cost analysis, not ROI.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WEBCAST
The Surest Path to Effective and Efficient Compliance

VeriSignIn this webcast, we explore why and how — with best practices, practical tips and solutions that work — to ease your compliance challenge.

» View the webcast

Featured Sponsors
Sponsored Links

Think your data is safe? Think again. It's time to Outthink the Threat. Get eBook now

Rolling the dice with your security? Take the Self-Assessment Test now

Diebold: Frost & Sullivan Global Physical Security Systems Integrator of the Year

Revolutionizing Endpoint Security with a Single Agent

Envision Identity-Based Access Control for the Datacenter

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Envision Identity-Based Access Control for the Datacenter

Digital Identity Protection and Data Security Get Personal

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage

The Case for Business Software Assurance ~ Securing Your Applications

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

IS/IT Project Mgt. Credentials From Villanova - 100% Online

Learn how the new Quad-Core AMD Opteron™ processor improves performance

Configuration Assessment: Choosing the Right Solution

Data Protection: Challenges for the Traveling User

Key strategies for C-level executives and security staff

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

How Are Open Source Development Communities Embracing Security Best Practices?

IDC Defines an Identity and Access Management Submarket

Using Likewise to Comply with PCI Data Security Standard

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

Solving Online Credit Fraud Using Device Reputation