3
Fact and fortitude ENGAGED REPORTING Now that cyber security has the attention of the board and information risk is on the agenda, Chief Information Security Officers (CISOs) are being asked increasingly tough questions about security investment and risk. It’s never been more important for CISOs to be ready to answer these questions and articulate how the information security function is contributing to strategic priorities while helping to balance information risk. Yet many are struggling to do so. ISF research has found that many CISOs are reporting the wrong key performance indicators (KPIs) and key risk indicators (KRIs). In addition, they have little or no interaction with the audiences to whom they are reporting. They are guessing at what their audiences need and are missing the mark when attempting to provide ongoing management reporting on topics including: • information security effectiveness • organisational risk • information security arrangements. Engaged Reporting provides a way for CISOs to succeed by engaging with audiences to identify common interests, determine relevant data, generate reliable insights and create impact supported by the right KPIs and KRIs. This supports informed decision-making. This report provides guidance and mechanisms that will help CISOs and their teams turn technical security metrics into reporting that is aligned to the strategic aims and goals of the organisation by virtue of meaningful conversations. Are you ready to answer these questions? Can we reduce security costs without exposing the business to significant risks? How secure are our critical information assets? How secure do they need to be? What implications could a breach or an incident have on the business? What is the information security function doing to support new initiatives? Is the business sufficiently securing its core products and services?

Engaged Reporting: Fact and Fortitude - Executive … · THE ISF APPROACH FOR ENGAGED REPORTING Fact and fortitude + + + = Engagement A ... allowing the CISO to ... Fact and Fortitude

  • Upload
    vucong

  • View
    231

  • Download
    4

Embed Size (px)

Citation preview

Fact and fortitudeENGAGED REPORTING

Now that cyber security has the attention of the board and information risk is on the agenda, Chief Information Security Officers (CISOs) are being asked increasingly tough questions about security investment and risk. It’s never been more important for CISOs to be ready to answer these questions and articulate how the information security function is contributing to strategic priorities while helping to balance information risk. Yet many are struggling to do so. ISF research has found that many CISOs are reporting the wrong key performance indicators (KPIs) and key risk indicators (KRIs). In addition, they have little or no interaction with the audiences to whom they are reporting. They are guessing at what their audiences need and are missing the mark when attempting to provide ongoing management reporting on topics including:

• information security effectiveness• organisational risk• information security arrangements. Engaged Reporting provides a way for CISOs to succeed by engaging with audiences to identify common interests, determine relevant data, generate reliable insights and create impact supported by the right KPIs and KRIs.This supports informed decision-making. This report provides guidance and mechanisms that will help CISOs and their teams turn technical security metrics into reporting that is aligned to the strategic aims and goals of the organisation by virtue of meaningful conversations.

Are you ready to answer these questions?

• Can we reduce security costs without exposing the business to significant risks?

• How secure are our critical information assets? How secure do they need to be?

• What implications could a breach or an incident have on the business?

• What is the information security function doing to support new initiatives?

• Is the business sufficiently securing its core products and services?

ENGAGED REPORTING -The ISF Approach for Engaged Reporting (ISF Approach), shown below, provides a four-phase, practical approach for creating key performance indicators (KPIs) and key risk indicators (KRIs) that support informed decision-making. The ISF Approach encourages CISOs to forge a path to having the right conversations with the right people. It is designed to be applied up, down and across at all levels of an organisation.

The fundamental concepts of Engaged Reporting can be represented by an equation, as follows:

Engaged Reporting ties performance and risk management together – through KPI/KRI combinations.

THE ISF APPROACH FOR ENGAGED REPORTING

Fact and fortitude

+ + + =Engagement

A

Relevantdata

B

Reliableinsights

C

Compellingimpact

Informeddecisions

Engagement sits at the heart of the ISF Approach. It builds relationships and improves understanding, allowing the CISO to better respond to the needs of their audiences. It also opens doors, allowing the CISO to have influence beyond reporting.

Relevance comes from the right data, calibrated and supported by the right structures for the right audiences, and used consistently across the organisation. It ensures that the KPI/KRI combinations are aligned with the audiences’ needs through common interests.

Insights come from understanding of KPIs and KRIs and are the basis of informed decisions. They are generated by engaging to review and interpret information gathered to create KPI/KRI combinations.

Impact ensures that information is reported and presented in a way that it is accepted and understood, leading to decisions and action.

Informed decisions are based on an accurate view of performance and risk. Engaged Reporting will offer organisations assurance that the CISO and the information security function are responding proactively to priorities and other needs of the business.

Reports on:

New and previously identified uncertainties, expressed in terms of their likelihood and impact

Also provides a basis for:

Assessing whether previous predictions on risk (as a function of likelihood and impact) were sound, thus identifying trends on quality of foresight

KPI KRI

Reports on:

Actual progress against plans and targets

Also provides a basis for:

Identifying trends for future resource availability and performance

An expression of progress towards strategic aims and business goals. Predominantly backward looking.

A predictor of events that can affect the achievementof strategic aims and business goals.

Predominantly forward looking.

This builds an essential understanding of the needs and reporting preferences of the audiences. In particular, it identifies reporting requirements that are in line with strategic aims and business goals. It also improves the CISO’s understanding of business drivers and priorities in order to identify common interests and KPI/KRI combinations.

ENGAGING TO REPORT

This enables the CISO to gather, calibrate and interpret information. It also identifies existing reports that can be used to enrich reporting.

ENGAGING TO COLLABORATE

A fictional case study accompanies each phase of the ISF Approach, describing how a CISO uses the approach to align the information security function’s priorities with the strategic priorities of the business and answering some of the questions being asked by the board.

Fictional case study• Align information security priorities with the strategic priorities of the organisation• Take the time to engage with the right audiences and build a coalition• Use the language and terminology of the audience• Always ask for feedback to keep reporting relevant and meaningful• Treat reporting as an opportunity to develop trust and influence beyond reporting

Top tips

PHASE A: ESTABLISH RELEVANCE

Step 1. Understand the business context

Step 2. Identify audiences and collaborators

Step 3. Determine common interests

Step 4. Identify the key information security priorities

Step 5. Design KPI/KRI combinations

Step 6. Test and confirm KPI/KRI combinations

PHASE B: GENERATE INSIGHTS

Step 1. Gather data

Step 2. Produce and calibrate KPI/KRI combinations

Step 3. Interpret KPI/KRI combinations to develop insights

PHASE C: CREATE IMPACT

Step 1. Agree conclusions, proposals and recommendations

Step 2. Produce reports and presentations

Step 3. Prepare to present and distribute reports

Step 4. Present and agree on next steps

PHASE D: LEARN AND IMPROVE

Step 1. Develop learning and improvement plans

Phase B: Generate insightsPhase A: E

stablish

releva

nce

Phase C: C

reate impact

Phase D: Learn and improve

Engage

Engage

EngageEngage

BUSINESS FUNCTION HEADS

SENIOR MANAGEMENT

EXECUTIVEMANAGEMENT

& BOARD

Produc� on

Finance IT HR Legal ...... Informa� onSecurity

Sales Opera� ons Services

Engaged Reporting: Fact and fortitude CONTACTFor more information, please contact:

Steve Durbin, Managing Director

US Tel: +1 (347) 767 6772UK Tel: +44 (0)20 3289 5884UK Mobile: +44 (0)7785 953 800Email: [email protected]: www.securityforum.org

Where next?

Engaged Reporting describes the fundamental components of successful reporting and provides a practical approach for CISOs to engage up, down and across at all levels of their organisations – to identify and use relevant KPIs and KRIs necessary for fact-based decision-making. We recommend that the CISO in each ISF Member organisation:

• consider their specific goals for reporting and plan a way forward to achieve Engaged Reporting

• understand the fundamental concepts underlying the approach

• apply the approach: bearing in mind that this is a flexible and iterative process that will evolve in line with changes in their organisation and resulting reporting requirements

• benefit from the reporting indicators and example reporting formats in this report

• give careful consideration to the concepts in this report and consult other related ISF materials including IRAM2: The Next Generation of Assessing Information Risk, From Promoting Awareness to Embedding Behaviours: Secure by choice, not by chance, Information Security Strategy: Transitioning from alignment to integration, Engaging With The Board: Balancing cyber risk and reward and Information Security Governance: Raising the game.

• use ISF Live to share their thoughts, information, articles and other relevant materials, and to debate the ISF’s findings in this report.

Engaged Reporting is available free of charge to ISF Members, and can be downloaded from the ISF Member website www.isflive.org. Non-Members interested in purchasing the report should contact Steve Durbin at [email protected].

ABOUT THE ISFFounded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organisations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management by developing best practice methodologies, processes and solutions that meet the business needs of its Members.

ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and developed through an extensive research and work programme. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals individually.

DISCLAIMERThis document has been published to provide general information only. It is not intended to provide advice of any kind. Neither the Information Security Forum nor the Information Security Forum Limited accept any responsibility for the consequences of any use you make of the information contained in this document.

REFERENCE: ISF 15 04 02

Copyright©2015 Information Security Forum Limited. All rights reserved.