Mike,
I don't know if this will help but, what I do is provide the number of
attacks blocked and analyze that by providing information on one. If you
provide the cost of fixing problems caused by one attack (man hours,
downtime, customer and user impact, etc...) you will be able to show them
that you are in fact saving the company money. This is your Return on
investment ROI which they love to hear. What you are looking to do is prove
how you are not wasting their money, but instead saving them money.
Example, if a virus is successful; calculate how the impact of affected
servers and computers would cost money to repair. Then calculate that cost
times the number of attacks you've prevented (you must be able to prove that
you prevented them) and compare that against the cost of any IDS systems and
implementations your security team has done.
Hope this helps.
Regards,
Rolando Ruiz
Information Technology
-----Original Message-----
From: Crayola [mailto:crayola@optonline.net]
Sent: Monday, April 03, 2006 11:36 PM
To: security-management@securityfocus.com
Subject: Reports for Exec Management
I need to begin putting together monthly reports for
executive management (CEO) that show the value that the Information
Security department is providing to the company. The execs know what we
do, my senior mgmt feels we need to broadcast the value Infosec provides.
I know a couple things about exec reports.. keep them short (one page),
never propose a need without an answer, and huge IDS numbers will scare
them needlessly. How can I show value without being alarmist? If I say that
we
successfully blocked over 1.5 million attacks last month they'll have a
heart attack.
What do ya'll provide to your execs? Its tough to show the value of what you
do when that value consists of potentially making something not happen
(security incident).
Thanks,
Mike
