Why re-invent the wheel when your organization already has a mature business
to report on the health of the network?
When I worked in netops I could report on an outage in dollars and time very
quickly. For example, if a trading floor went down for 20 minutes, I had
data from finance showing that the floor generated $X/hour. From that I
could then report that we lost $X for the downtime, and the problem was
caused by hardware/human error, etc. From there I could craft the report to
support the problem. Possibly we needed more spare equipment, or the nephew
of the CEO needs to finally get fired, or given a less dangerous job?
The netops people should be ahead of the security ops people in the ability
to create metrics from network data. Go to your netops team and ask how
their operations report up. Of course, it is easier when you are dealing
with a circuit up/down, latency, business team cut off, etc. However, if you
can identify your attacks (This is part of your job) then you can decide if
you need to tell anyone that your firewall is working. If your firewall is
under heavy load, then you may want to report that a common DoS attack will
take the business down if you do not start an in-line IPS project.
If you are unable to manage your network, then you can report that. In the
case of unwilling Windows admins to clean up their traffic, or even share
patch levels, or let scans occur. If they won't work with you, tell the
execs that the Windows network is a timebomb, and responsible for wasting
bandwidth and resources.
If you don't even know what is a real threat or isn't, then you need to
craft a plan to take control of your network. There are products now
available that identify real threats against false alarms.
-Erik
On 4/4/06, Crayola <crayola@optonline.net> wrote:
Thanks for the great advice all!
After mulling over all your emails
I am going to focus on a key performance indicator style
report where we define the missions of the information
security department to the business stakeholders of the
company... i.e.: what business value are they expecting us
to provide. I can think of 6 or 7 big missions we can focus on.
Then define goals based on the missions, and measure progress towards
those goals. In other words Key Performance Indicators. This works
really well for a monthly report since it can easily show progress
towards the goals and ultimately adding business value to the
organization.
Example section:
-------------------------------------------------------
Mission - Maintain regulatory and standards compliance
Goals - Ensure that the company meets the authentication requirements of
the FFIEC by 2007
Accomplishment - Developed new authentication standard for internal
development efforts.
Next steps - Work with development to modify all products to meet new
standard
----------------------------------------------------------------------------
---
This lets the CEO know how the infosec department is providing business
value
to the organization in a way that is not alarming, and cant be
misinterpreted
(like numbers often are). It also provides me a platform to indicate where
I need executive support in the "next steps" section.
Thanks,
Mike
