Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Reports for Exec Management

from [Vera, Christopher M.] Network Security [Permanent Link]
Subject: RE: Reports for Exec Management
Date: Tue, 4 Apr 2006 15:36:05 -0700 
Crayola,

Your instincts are good. Showing a metric of 1.5 million attacks (really,
events since false positives run rampant) is useless to an exec.

The reason is because execs usually speak in terms of *business* risk, not
*technical* risk. Almost every metric you present to an exec should relate
directly to how much money it is costing or saving the company.

What keeps execs up at night? Many typically ask:
What are my most mission critical business information/systems/processes?
Where are they? Who owns them?

Are these systems "secure" (i.e., are we protecting them appropriately
according to the value of the info they store or process)?

If a mission critical info/system/process becomes unavailable, how quickly
can we restore it?

Is my info/systems/processes in compliance with all local/state/federal
regulations & laws?

How much will it cost the company if info is lost or stolen? What will the
headline read in the newspaper?

Every metric you provide should help answer these questions. Back to your
example, execs don't care you had 1.5 million IDS events triggered last
month. They DO care that of the 200 mission critical systems you have, three
were REALLY attacked and all three attacks were contained or stopped before
the CIA of the information could be adversely affected.

Here's another tip: Thoroughly understand every metric you are presenting
and what it means, ESPECIALLY if the metric had changed dramatically since
the last report.

Christopher Vera, GCFA, CISSP, 

-----Original Message-----
From: security-management-return-1391-verac=saic.com@securityfocus.com
[mailto:security-management-return-1391-verac=saic.com@securityfocus.com] On
Behalf Of Crayola
Sent: Monday, April 03, 2006 8:36 PM
To: security-management@securityfocus.com
Subject: Reports for Exec Management


I need to begin putting together monthly reports for executive management
(CEO) that show the value that the Information Security department is
providing to the company. The execs know what we do, my senior mgmt feels we
need to broadcast the value Infosec provides. 

I know a couple things about exec reports.. keep them short (one page),
never propose a need without an answer, and huge IDS numbers will scare them
needlessly. How can I show value without being alarmist? If I say that we
successfully blocked over 1.5 million attacks last month they'll have a
heart attack. 

What do ya'll provide to your execs? Its tough to show the value of what you

do when that value consists of potentially making something not happen
(security incident). 

Thanks,
Mike
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Reports for Exec Management, Anup Narayanan
Next by Date:  RE: Reports for Exec Management, Ruiz, Rolando
Previous by Thread:  RE: Reports for Exec Management, Chuck
Next by Thread:  RE: Reports for Exec Management, Ruiz, Rolando
Indexes:  [Date] [Thread] [Top] [All Lists]