Hi,
My suggestions. Senior Management would like to see Information Security
as an investment. Think like this.
* The organization has a business objective - "Deliver products on time"
* The business objective can be mapped to a Security Objective -
"Systems supporting product delivery must be available"
* The Security Objective is mapped to Security Targets - "Systems
supporting product delivery must not be unavailable for more than
5 hours per year"
The achievement of Security Targets is through careful execution of ISM
processes. You can use metrics for measuring the success rate of each
ISM process and map them backwards and see whether the Business
Objective was reached.
So you tell the Senior Management whether the investment in ISMS was
worthwhile, substantiating your information with results obtained using
metrics. This is something which Senior Management would like to hear if
you present a report based on the above assumptions.
Warm Regards,
Anup
P.S:- Information Security is not avoiding incidents, Information
Security is "Being reliable and achieving business goals in spite of
incidents"
If you use metrics to measure the success of each ISMS process and map
Crayola wrote:
I need to begin putting together monthly reports for
executive management (CEO) that show the value that the Information
Security department is providing to the company. The execs know what we
do, my senior mgmt feels we need to broadcast the value Infosec provides.
I know a couple things about exec reports.. keep them short (one page),
never propose a need without an answer, and huge IDS numbers will scare
them needlessly. How can I show value without being alarmist? If I say that
we
successfully blocked over 1.5 million attacks last month they'll have a
heart attack.
What do ya'll provide to your execs? Its tough to show the value of what you
do when that value consists of potentially making something not happen
(security incident).
Thanks,
Mike
