engaged reporting: fact and fortitude - executive … · the isf approach for engaged reporting...
Post on 21-Apr-2018
232 Views
Preview:
TRANSCRIPT
Fact and fortitudeENGAGED REPORTING
Now that cyber security has the attention of the board and information risk is on the agenda, Chief Information Security Officers (CISOs) are being asked increasingly tough questions about security investment and risk. It’s never been more important for CISOs to be ready to answer these questions and articulate how the information security function is contributing to strategic priorities while helping to balance information risk. Yet many are struggling to do so. ISF research has found that many CISOs are reporting the wrong key performance indicators (KPIs) and key risk indicators (KRIs). In addition, they have little or no interaction with the audiences to whom they are reporting. They are guessing at what their audiences need and are missing the mark when attempting to provide ongoing management reporting on topics including:
• information security effectiveness• organisational risk• information security arrangements. Engaged Reporting provides a way for CISOs to succeed by engaging with audiences to identify common interests, determine relevant data, generate reliable insights and create impact supported by the right KPIs and KRIs.This supports informed decision-making. This report provides guidance and mechanisms that will help CISOs and their teams turn technical security metrics into reporting that is aligned to the strategic aims and goals of the organisation by virtue of meaningful conversations.
Are you ready to answer these questions?
• Can we reduce security costs without exposing the business to significant risks?
• How secure are our critical information assets? How secure do they need to be?
• What implications could a breach or an incident have on the business?
• What is the information security function doing to support new initiatives?
• Is the business sufficiently securing its core products and services?
ENGAGED REPORTING -The ISF Approach for Engaged Reporting (ISF Approach), shown below, provides a four-phase, practical approach for creating key performance indicators (KPIs) and key risk indicators (KRIs) that support informed decision-making. The ISF Approach encourages CISOs to forge a path to having the right conversations with the right people. It is designed to be applied up, down and across at all levels of an organisation.
The fundamental concepts of Engaged Reporting can be represented by an equation, as follows:
Engaged Reporting ties performance and risk management together – through KPI/KRI combinations.
THE ISF APPROACH FOR ENGAGED REPORTING
Fact and fortitude
+ + + =Engagement
A
Relevantdata
B
Reliableinsights
C
Compellingimpact
Informeddecisions
Engagement sits at the heart of the ISF Approach. It builds relationships and improves understanding, allowing the CISO to better respond to the needs of their audiences. It also opens doors, allowing the CISO to have influence beyond reporting.
Relevance comes from the right data, calibrated and supported by the right structures for the right audiences, and used consistently across the organisation. It ensures that the KPI/KRI combinations are aligned with the audiences’ needs through common interests.
Insights come from understanding of KPIs and KRIs and are the basis of informed decisions. They are generated by engaging to review and interpret information gathered to create KPI/KRI combinations.
Impact ensures that information is reported and presented in a way that it is accepted and understood, leading to decisions and action.
Informed decisions are based on an accurate view of performance and risk. Engaged Reporting will offer organisations assurance that the CISO and the information security function are responding proactively to priorities and other needs of the business.
Reports on:
New and previously identified uncertainties, expressed in terms of their likelihood and impact
Also provides a basis for:
Assessing whether previous predictions on risk (as a function of likelihood and impact) were sound, thus identifying trends on quality of foresight
KPI KRI
Reports on:
Actual progress against plans and targets
Also provides a basis for:
Identifying trends for future resource availability and performance
An expression of progress towards strategic aims and business goals. Predominantly backward looking.
A predictor of events that can affect the achievementof strategic aims and business goals.
Predominantly forward looking.
This builds an essential understanding of the needs and reporting preferences of the audiences. In particular, it identifies reporting requirements that are in line with strategic aims and business goals. It also improves the CISO’s understanding of business drivers and priorities in order to identify common interests and KPI/KRI combinations.
ENGAGING TO REPORT
This enables the CISO to gather, calibrate and interpret information. It also identifies existing reports that can be used to enrich reporting.
ENGAGING TO COLLABORATE
A fictional case study accompanies each phase of the ISF Approach, describing how a CISO uses the approach to align the information security function’s priorities with the strategic priorities of the business and answering some of the questions being asked by the board.
Fictional case study• Align information security priorities with the strategic priorities of the organisation• Take the time to engage with the right audiences and build a coalition• Use the language and terminology of the audience• Always ask for feedback to keep reporting relevant and meaningful• Treat reporting as an opportunity to develop trust and influence beyond reporting
Top tips
PHASE A: ESTABLISH RELEVANCE
Step 1. Understand the business context
Step 2. Identify audiences and collaborators
Step 3. Determine common interests
Step 4. Identify the key information security priorities
Step 5. Design KPI/KRI combinations
Step 6. Test and confirm KPI/KRI combinations
PHASE B: GENERATE INSIGHTS
Step 1. Gather data
Step 2. Produce and calibrate KPI/KRI combinations
Step 3. Interpret KPI/KRI combinations to develop insights
PHASE C: CREATE IMPACT
Step 1. Agree conclusions, proposals and recommendations
Step 2. Produce reports and presentations
Step 3. Prepare to present and distribute reports
Step 4. Present and agree on next steps
PHASE D: LEARN AND IMPROVE
Step 1. Develop learning and improvement plans
Phase B: Generate insightsPhase A: E
stablish
releva
nce
Phase C: C
reate impact
Phase D: Learn and improve
Engage
Engage
EngageEngage
BUSINESS FUNCTION HEADS
SENIOR MANAGEMENT
EXECUTIVEMANAGEMENT
& BOARD
Produc� on
Finance IT HR Legal ...... Informa� onSecurity
Sales Opera� ons Services
Engaged Reporting: Fact and fortitude CONTACTFor more information, please contact:
Steve Durbin, Managing Director
US Tel: +1 (347) 767 6772UK Tel: +44 (0)20 3289 5884UK Mobile: +44 (0)7785 953 800Email: steve.durbin@securityforum.orgWeb: www.securityforum.org
Where next?
Engaged Reporting describes the fundamental components of successful reporting and provides a practical approach for CISOs to engage up, down and across at all levels of their organisations – to identify and use relevant KPIs and KRIs necessary for fact-based decision-making. We recommend that the CISO in each ISF Member organisation:
• consider their specific goals for reporting and plan a way forward to achieve Engaged Reporting
• understand the fundamental concepts underlying the approach
• apply the approach: bearing in mind that this is a flexible and iterative process that will evolve in line with changes in their organisation and resulting reporting requirements
• benefit from the reporting indicators and example reporting formats in this report
• give careful consideration to the concepts in this report and consult other related ISF materials including IRAM2: The Next Generation of Assessing Information Risk, From Promoting Awareness to Embedding Behaviours: Secure by choice, not by chance, Information Security Strategy: Transitioning from alignment to integration, Engaging With The Board: Balancing cyber risk and reward and Information Security Governance: Raising the game.
• use ISF Live to share their thoughts, information, articles and other relevant materials, and to debate the ISF’s findings in this report.
Engaged Reporting is available free of charge to ISF Members, and can be downloaded from the ISF Member website www.isflive.org. Non-Members interested in purchasing the report should contact Steve Durbin at steve.durbin@securityforum.org.
ABOUT THE ISFFounded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organisations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management by developing best practice methodologies, processes and solutions that meet the business needs of its Members.
ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and developed through an extensive research and work programme. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals individually.
DISCLAIMERThis document has been published to provide general information only. It is not intended to provide advice of any kind. Neither the Information Security Forum nor the Information Security Forum Limited accept any responsibility for the consequences of any use you make of the information contained in this document.
REFERENCE: ISF 15 04 02
Copyright©2015 Information Security Forum Limited. All rights reserved.
top related