Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Reports for Exec Management

from [PCSC Information Services] Network Security [Permanent Link]
Subject: Re: Reports for Exec Management
Date: Tue, 4 Apr 2006 13:50:27 -0400 
Mike et al,

It seems to me that if the CEO is worth his/her salt they should be fully apprised
of the 'state of the union' so as to ensure that moving forward, budgets can be
aligned appropriately. While I understand that 1.5 million attacks might seem
alarming, the resources required to defend against the current internet conditions
must be maintained, and planned for to ensure the ongoing information health
of the company.

Soft peddling the urgency of the requirement will only be a disservice to the company
in the long term, and when the eventual (inevitable?) security breach is discovered
and your company is facing potentially door-closing law suits it will be too late to
disclose the full nature of the problem.

Thankfully, corporations are obliged to perform what's known as 'due diligence' to
ensure that these types of situations do not occur, or if so, seldom and by circumstances
that were previously unaccountable. This is exactly why corporations pay good money
for info security personnel, to ensure that they are fully informed of the ramifications of
having an online presence, and facilities.

Executive reports do not need to be short, in fact, only the executive summary should
be brief, and to the point. You should include the value that your group is providing to
the company by stating factual evidence as to how that value is being derived. Your
company's databases, and other critical mission infrastructure has a far greater value
than perhaps you are perceiving, and protecting it is a vital mission.

The executive summary is key to the overall success of an executive report, in that it
briefly outlines (to a very busy person), what they need to be informed of, and the expected
impact to the overall business structure and health as a result of this information.
The summary should include the overall costs / quarter / performance metrics derived
in a way to give an accurate picture of the resources required to maintain security, and
following up with an expected budget requirement for ongoing projects, and maintaining
the successful status quo. You might also want to suggest initiatives in the summary so
as to ensure that CEOs have some options to stem costs through pro- active management
led actions.

The remainder of the executive report should include research articles discussing the
ramifications of security breaches on businesses, hard numbers that discuss your groups
costs and efficiencies. A valuation of your company's data would go a long way to solidifying
the need for infosecurity personnel, coupled with a survey of which productivity apps are
being used and when, and how much value is being derived from the corporate IT
infrastructure as measured against the company's overall value. i.e. IT is a reality of the way
we do ALL of our business, and the data derived from this IT infrastructure is truly the value
of our operation. You will also want to fully disclose any suggested initiatives introduced
in the executive summary in this part of the report.

Executives need to be properly informed, and they are the people empowered within a
company to enact changes that affect the direction of the company. Blowing smoke up
a CEO is only bad for the company in the whole. Give them a brief summary and follow it
up with real hard facts. In this era of accountability it's important to empower CEOs with
the information that could potentially save hundreds if not thousands of jobs or millions of
dollars.

Sincerely,

Sean Swayze
PCSC Information Services

On 3-Apr-06, at 11:35 PM, Crayola wrote:


I need to begin putting together monthly reports for
executive management (CEO) that show the value that the Information
Security department is providing to the company. The execs know what we
do, my senior mgmt feels we need to broadcast the value Infosec provides.

I know a couple things about exec reports.. keep them short (one page),
never propose a need without an answer, and huge IDS numbers will scare
them needlessly. How can I show value without being alarmist? If I say that
we
successfully blocked over 1.5 million attacks last month they'll have a
heart attack.

What do ya'll provide to your execs? Its tough to show the value of what you

do when that value consists of potentially making something not happen
(security incident).

Thanks,
Mike



[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Reports for Exec Management, Gary Everekyan
Next by Date:  RE: Reports for Exec Management, Bond Masuda
Previous by Thread:  RE: Reports for Exec Management, Gary Everekyan
Next by Thread:  RE: Reports for Exec Management, Bond Masuda
Indexes:  [Date] [Thread] [Top] [All Lists]