Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Reports for Exec Management

from [Bond Masuda] Network Security [Permanent Link]
Subject: RE: Reports for Exec Management
Date: Tue, 4 Apr 2006 12:18:04 -0700 
Hi Mike,


I need to begin putting together monthly reports for 
executive management (CEO) that show the value that the 
Information Security department is providing to the company. 
The execs know what we do, my senior mgmt feels we need to 
broadcast the value Infosec provides. 


In my own experience, I think this is VERY important. At one point, I too
was responsible for putting together PPT slides to demonstrate my team's
value to the company. What I learned was that "knowing what the security
dept does" and "understanding what the security dept" does are two different
things. The "understanding" part comes when those executives can relate to
what you do. When they say they "know" what you do, that usually means
they've read your 1 page dept. charter/mission statement and it was in a
language they understood.

When I say "relate to what you do", I've found that the universal language
of $$$ is the easiest way to communicate. Translate the type of things your
dept does to dollar amounts. However, be very careful how you do this;
always be ready to justify how you deduced the numbers.
 

I know a couple things about exec reports.. keep them short 
(one page), never propose a need without an answer, and huge 
IDS numbers will scare them needlessly. How can I show value 
without being alarmist? If I say that we successfully blocked 
over 1.5 million attacks last month they'll have a heart attack. 


A couple of suggestions here.... 

1. get a hold of a few reports from other departments. Every company I've
been at has a different format, different charts and tables they are use to
seeing. Sometimes, the CEO will dictate that his VPs use a certain format.
Find out what this is, and incorporate it into yours. This may seem
"superficial" or "cosmetic", when what really matters is the content, not so
much the presentation. But consider it part of "effective communication." If
you're trying to communicate to someone who doesn't speak your language, you
don't keep babling words that are foreign to them, you try to find
commonalities or learn their language. Keeping your report in a format they
are use to will help get your message across, give the execs no excuse to
focus on your presentation method, but rather focus on the content; which is
what really matters.

2. it truly is difficult to assign a dollar value to prevention of an
incident. but here are "alternative" ways to look at it:

- what is the value of all the company assets you are protecting? if your
dept. is providing security for $3B worth of company assets, it's a no
brainer that the company spend $2M/yr on your department.
- what was the cost of the last security breach at your company? if the last
security breach cost the business $100K-$150K last time, figure out what
you're saving the company.

3. your execs are use to seeing things in terms of dollars, but they are
also use to seeing organization and people. security can be seen as an
"enabling" force. identify these opportuntiies and glorify them...

- good security policies, procedures, and practice could have allowed for
the efficient completion of audits, this may have allowed a new business
initiative to come to market before the competition. if you don't have such
an opportunity to talk about, consider partnering with other VPs and
managers to ensure that your efforts are considered as part of their
success. nothing demonstrates value more than when another dept. VP speaks
up on your behalf and credits your dept for part of their success.

- if your company is public in the US, then your CFO should definitely be
your partner and see the value your dept provided in the SOX audits.


What do ya'll provide to your execs? Its tough to show the 
value of what you do when that value consists of potentially making

something 

not happen (security incident). 


If the company you work for is fairly large, the value of your dept. must go
beyond just what your dept. does. Nothing speaks stronger than when other
dept. see your dept as a partner, team player, and problem solver. When your
dept is seen as an essential team player within the business, it almost
doesn't matter that you've prevented 1.5M attacks this past quarter.

I hope those suggestions give you some ideas. Every company, every executive
team is different, so start talking with other teams, managers, executives,
VPs and get an idea of what makes them tick, what turns them off... and
start putting yourself in their shoes and try to figure out what role your
team plays within the business.

Good Luck!
-Bond Masuda
Security Consultant, CISSP
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Reports for Exec Management, PCSC Information Services
Next by Date:  Re: Reports for Exec Management, chuck
Previous by Thread:  Re: Reports for Exec Management, PCSC Information Services
Next by Thread:  Re: Reports for Exec Management, Anup Narayanan
Indexes:  [Date] [Thread] [Top] [All Lists]