You know gathering data and analyzing information security metrics is important. You probably know which ones you should be collecting. But now that you have all of the information you need, how do you put it into an intelligent, understandable, and effective report for stakeholders?
There really is no right or wrong way at a granular level, but there are certainly best practices you can keep in mind to make sure you’ve got the right metrics telling the right story to the right people.
Creating an Information Security Metric Report
Start by defining a problem you’d like to solve or a goal or goals for your department. Everything should be measured against a goal. For example, if your goal is to reduce the number of employee outreach events, make it a point to report those numbers.
Identify the resources you have available to you. Who will pull metrics? Will it be an entirely internal effort, or will you have vendors complete audits? Do you have the appropriate tools and software to obtain the right data points? Make sure all of this is in line before you begin.
Next, gather together your predetermined metrics. Remember, these should be mostly quantitative — measurable, with defined timeframes. Qualitative (anecdotal or opinion-based) metrics are sometimes OK, if they provide context to the full picture of what’s happening, but shouldn’t be used on their own.
Determine which metrics to pull as quality indicators (those measuring against clear targets and goals) and which for tracking metrics (those without a target, but give a good idea of how a data point is trending).
Once you have all of your metrics, build out a rough draft of your report. Your report should tell a story — often, that means visuals such as charts, graphs, and heat maps will clarify a full picture better than blocks of texts describing data points and analysis. Review your drafts with appropriate team members, and repeat the steps as necessary until you have a strong report to share or present.
What Types of Reports are Most Effective?
There are countless options, but some common formats help to simplify the process depending on the audience you’re sharing your metrics with.
A monthly or weekly scorecard can help you manage security operations and other tasks of your team. Scorecards capture day-to-day operations including firewall rules created, system patching, and conducting awareness events. Include a risk section to capture visibility into an organization’s weak spots, such as the number of security scans, and open vulnerabilities.
Scorecards can be rolled up into a one-pager to present to the CIO or to be used internally for performance measurement. They should be automated as much as possible, simple, and frequent.
For peers and direct management, consider creating a quarterly dashboard. Dashboards can be used to report information that will help drive the behavior of complementing teams, such as the network, systems, and app teams. Include similar information that’s in the scorecard, but show trends over time to give a clear picture of progress or issues.
Annual presentations are best for high-level views appropriate for executives or a board of directors. They are meant to tell the full story of the direction of the security program. These can be used not only to show progress and successes, but also to justify spend, support requests for more funding or resources, and provide insight into the value of the information security team.
Typically, executives and board members will only need to see reports once per year unless there’s a breach. The story must be told quickly, visually, and simply. Consider what the most important thing is to convey, and put that at the very beginning of the report. Plan on spending only 15 minutes presenting the report, and prepare to be asked a lot of questions. Each type of report can utilize the same underlying metrics, but each channel may rely on different elements to tell the right story for its audience.
Need help preparing reports, or have questions? Talk with the experts at MRK. Fill out the form below, and we’d be happy to get in touch with you right away.