Now more than ever, the security position of an organisation is a concern to all levels of management. In particular, IS/ITS management are required to understand the status, success and coverage of deployed security measures.
The client is a major insurance, investment and pension company, who required a security management dashboard to support the reporting needs of control owners, Information Security and a senior and executive management audience.
i-confidential initially conducted an i-Assess control review of the organisation’s information security position and determined a number of security gaps. The view i-confidential takes is that, in common with any other business, security teams cannot effectively manage what they cannot measure.
The reporting of security management information was identified as undermining the organisation’s attempts to understand and improve its current risk position. In addition, the lack of reported security-related measures weakened its security improvement efforts, as there was an inability to describe the gap in attainment, any regular or ongoing view of the security risk, or the benefits to senior management.
The initial dashboard was based on a set of ‘day one’ measures, deemed as a priority for the organisation in conjunction with the controls identified as weak in the assessment. These were refined over a number of iterations, as additional priorities were recognised and further sources of measurement information identified. The outcome was a dashboard which could provide a tiered reporting platform, enabling measures to be both tailored to the audience and maintain a single consistent view of the data; alongside the ability to decompose aggregated measures to the base metrics which informed them. The measures were RAG’d and narrative text associated to describe this - for example, to explain a ‘path to green’. A new process, roles and responsibilities, and a repository were also developed. This allowed metrics owners to add measurement information, and for the dashboard to be recalibrated in real time.
The outcome was a better understood and communicated control position, a shared multi-disciplinary view, and the ability to demonstrate improvement to various levels within the organisation. The distinct view of the data produced could provide simple management overviews of the data, and at ever more complex derivatives to suit the audience.
Identified control measurement gaps and priorities which undermined the organisation’s ability to measure and manage security threats
Created a draft dashboard, based on the organisation's current priorities, and used this to establish a common, shared view of security and improvement status
Established a new process, responsibilities, and repository to support the institutionalisation of measurement practices