Engaged Reporting: Fact and Fortitude - Executive ISF APPROACH FOR ENGAGED REPORTING Fact and...
Embed Size (px)
Transcript of Engaged Reporting: Fact and Fortitude - Executive ISF APPROACH FOR ENGAGED REPORTING Fact and...
Fact and fortitudeENGAGED REPORTING
Now that cyber security has the attention of the board and information risk is on the agenda, Chief Information Security Officers (CISOs) are being asked increasingly tough questions about security investment and risk. Its never been more important for CISOs to be ready to answer these questions and articulate how the information security function is contributing to strategic priorities while helping to balance information risk. Yet many are struggling to do so. ISF research has found that many CISOs are reporting the wrong key performance indicators (KPIs) and key risk indicators (KRIs). In addition, they have little or no interaction with the audiences to whom they are reporting. They are guessing at what their audiences need and are missing the mark when attempting to provide ongoing management reporting on topics including:
information security effectiveness organisational risk information security arrangements. Engaged Reporting provides a way for CISOs to succeed by engaging with audiences to identify common interests, determine relevant data, generate reliable insights and create impact supported by the right KPIs and KRIs.This supports informed decision-making. This report provides guidance and mechanisms that will help CISOs and their teams turn technical security metrics into reporting that is aligned to the strategic aims and goals of the organisation by virtue of meaningful conversations.
Are you ready to answer these questions?
Can we reduce security costs without exposing the business to significant risks?
How secure are our critical information assets? How secure do they need to be?
What implications could a breach or an incident have on the business?
What is the information security function doing to support new initiatives?
Is the business sufficiently securing its core products and services?
ENGAGED REPORTING -The ISF Approach for Engaged Reporting (ISF Approach), shown below, provides a four-phase, practical approach for creating key performance indicators (KPIs) and key risk indicators (KRIs) that support informed decision-making. The ISF Approach encourages CISOs to forge a path to having the right conversations with the right people. It is designed to be applied up, down and across at all levels of an organisation.
The fundamental concepts of Engaged Reporting can be represented by an equation, as follows:
Engaged Reporting ties performance and risk management together through KPI/KRI combinations.
THE ISF APPROACH FOR ENGAGED REPORTING
Fact and fortitude
+ + + =Engagement
Engagement sits at the heart of the ISF Approach. It builds relationships and improves understanding, allowing the CISO to better respond to the needs of their audiences. It also opens doors, allowing the CISO to have influence beyond reporting.
Relevance comes from the right data, calibrated and supported by the right structures for the right audiences, and used consistently across the organisation. It ensures that the KPI/KRI combinations are aligned with the audiences needs through common interests.
Insights come from understanding of KPIs and KRIs and are the basis of informed decisions. They are generated by engaging to review and interpret information gathered to create KPI/KRI combinations.
Impact ensures that information is reported and presented in a way that it is accepted and understood, leading to decisions and action.
Informed decisions are based on an accurate view of performance and risk. Engaged Reporting will offer organisations assurance that the CISO and the information security function are responding proactively to priorities and other needs of the business.
New and previously identified uncertainties, expressed in terms of their likelihood and impact
Also provides a basis for:
Assessing whether previous predictions on risk (as a function of likelihood and impact) were sound, thus identifying trends on quality of foresight
Actual progress against plans and targets
Also provides a basis for:
Identifying trends for future resource availability and performance
An expression of progress towards strategic aims and business goals. Predominantly backward looking.
A predictor of events that can affect the achievementof strategic aims and business goals.
Predominantly forward looking.
This builds an essential understanding of the needs and reporting preferences of the audiences. In particular, it identifies reporting requirements that are in line with strategic aims and business goals. It also improves the CISOs understanding of business drivers and priorities in order to identify common interests and KPI/KRI combinations.
ENGAGING TO REPORT
This enables the CISO to gather, calibrate and interpret information. It also identifies existing reports that can be used to enrich reporting.
ENGAGING TO COLLABORATE
A fictional case study accompanies each phase of the ISF Approach, describing how a CISO uses the approach to align the information security functions priorities with the strategic priorities of the business and answering some of the questions being asked by the board.
Fictional case study Align information security priorities with the strategic priorities of the organisation Take the time to engage with the right audiences and build a coalition Use the language and terminology of the audience Always ask for feedback to keep reporting relevant and meaningful Treat reporting as an opportunity to develop trust and influence beyond reporting
PHASE A: ESTABLISH RELEVANCE
Step 1. Understand the business context
Step 2. Identify audiences and collaborators
Step 3. Determine common interests
Step 4. Identify the key information security priorities
Step 5. Design KPI/KRI combinations
Step 6. Test and confirm KPI/KRI combinations
PHASE B: GENERATE INSIGHTS
Step 1. Gather data
Step 2. Produce and calibrate KPI/KRI combinations
Step 3. Interpret KPI/KRI combinations to develop insights
PHASE C: CREATE IMPACT
Step 1. Agree conclusions, proposals and recommendations
Step 2. Produce reports and presentations
Step 3. Prepare to present and distribute reports
Step 4. Present and agree on next steps
PHASE D: LEARN AND IMPROVE
Step 1. Develop learning and improvement plans
Phase B: Generate insightsPhase
ctPhase D: Learn and improve
BUSINESS FUNCTION HEADS
Finance IT HR Legal ...... Informa onSecurity
Sales Opera ons Services
Engaged Reporting: Fact and fortitude CONTACTFor more information, please contact:
Steve Durbin, Managing Director
US Tel: +1 (347) 767 6772UK Tel: +44 (0)20 3289 5884UK Mobile: +44 (0)7785 953 800Email: firstname.lastname@example.orgWeb: www.securityforum.org
Engaged Reporting describes the fundamental components of successful reporting and provides a practical approach for CISOs to engage up, down and across at all levels of their organisations to identify and use relevant KPIs and KRIs necessary for fact-based decision-making. We recommend that the CISO in each ISF Member organisation:
consider their specific goals for reporting and plan a way forward to achieve Engaged Reporting
understand the fundamental concepts underlying the approach
apply the approach: bearing in mind that this is a flexible and iterative process that will evolve in line with changes in their organisation and resulting reporting requirements
benefit from the reporting indicators and example reporting formats in this report
give careful consideration to the concepts in this report and consult other related ISF materials including IRAM2: The Next Generation of Assessing Information Risk, From Promoting Awareness to Embedding Behaviours: Secure by choice, not by chance, Information Security Strategy: Transitioning from alignment to integration, Engaging With The Board: Balancing cyber risk and reward and Information Security Governance: Raising the game.
use ISF Live to share their thoughts, information, articles and other relevant materials, and to debate the ISFs findings in this report.
Engaged Reporting is available free of charge to ISF Members, and can be downloaded from the ISF Member website www.isflive.org. Non-Members interested in purchasing the report should contact Steve Durbin at email@example.com.
ABOUT THE ISFFounded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organisations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management by developing best practice methodologies, processes and solutions that meet the business needs of its Members.
ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and developed through an extensive research and work programme. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals individually.