Engaged Reporting: Fact and Fortitude - Executive ISF APPROACH FOR ENGAGED REPORTING Fact and...

Engaged Reporting: Fact and Fortitude - Executive ISF APPROACH FOR ENGAGED REPORTING Fact and fortitude + + + = Engagement A ... allowing the CISO to ... Fact and Fortitude - Executive
Engaged Reporting: Fact and Fortitude - Executive ISF APPROACH FOR ENGAGED REPORTING Fact and fortitude + + + = Engagement A ... allowing the CISO to ... Fact and Fortitude - Executive
Engaged Reporting: Fact and Fortitude - Executive ISF APPROACH FOR ENGAGED REPORTING Fact and fortitude + + + = Engagement A ... allowing the CISO to ... Fact and Fortitude - Executive
download Engaged Reporting: Fact and Fortitude - Executive ISF APPROACH FOR ENGAGED REPORTING Fact and fortitude + + + = Engagement A ... allowing the CISO to ... Fact and Fortitude - Executive

of 3

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of Engaged Reporting: Fact and Fortitude - Executive ISF APPROACH FOR ENGAGED REPORTING Fact and...

  • Fact and fortitudeENGAGED REPORTING

    Now that cyber security has the attention of the board and information risk is on the agenda, Chief Information Security Officers (CISOs) are being asked increasingly tough questions about security investment and risk. Its never been more important for CISOs to be ready to answer these questions and articulate how the information security function is contributing to strategic priorities while helping to balance information risk. Yet many are struggling to do so. ISF research has found that many CISOs are reporting the wrong key performance indicators (KPIs) and key risk indicators (KRIs). In addition, they have little or no interaction with the audiences to whom they are reporting. They are guessing at what their audiences need and are missing the mark when attempting to provide ongoing management reporting on topics including:

    information security effectiveness organisational risk information security arrangements. Engaged Reporting provides a way for CISOs to succeed by engaging with audiences to identify common interests, determine relevant data, generate reliable insights and create impact supported by the right KPIs and KRIs.This supports informed decision-making. This report provides guidance and mechanisms that will help CISOs and their teams turn technical security metrics into reporting that is aligned to the strategic aims and goals of the organisation by virtue of meaningful conversations.

    Are you ready to answer these questions?

    Can we reduce security costs without exposing the business to significant risks?

    How secure are our critical information assets? How secure do they need to be?

    What implications could a breach or an incident have on the business?

    What is the information security function doing to support new initiatives?

    Is the business sufficiently securing its core products and services?

  • ENGAGED REPORTING -The ISF Approach for Engaged Reporting (ISF Approach), shown below, provides a four-phase, practical approach for creating key performance indicators (KPIs) and key risk indicators (KRIs) that support informed decision-making. The ISF Approach encourages CISOs to forge a path to having the right conversations with the right people. It is designed to be applied up, down and across at all levels of an organisation.

    The fundamental concepts of Engaged Reporting can be represented by an equation, as follows:

    Engaged Reporting ties performance and risk management together through KPI/KRI combinations.


    Fact and fortitude

    + + + =Engagement








    Engagement sits at the heart of the ISF Approach. It builds relationships and improves understanding, allowing the CISO to better respond to the needs of their audiences. It also opens doors, allowing the CISO to have influence beyond reporting.

    Relevance comes from the right data, calibrated and supported by the right structures for the right audiences, and used consistently across the organisation. It ensures that the KPI/KRI combinations are aligned with the audiences needs through common interests.

    Insights come from understanding of KPIs and KRIs and are the basis of informed decisions. They are generated by engaging to review and interpret information gathered to create KPI/KRI combinations.

    Impact ensures that information is reported and presented in a way that it is accepted and understood, leading to decisions and action.

    Informed decisions are based on an accurate view of performance and risk. Engaged Reporting will offer organisations assurance that the CISO and the information security function are responding proactively to priorities and other needs of the business.

    Reports on:

    New and previously identified uncertainties, expressed in terms of their likelihood and impact

    Also provides a basis for:

    Assessing whether previous predictions on risk (as a function of likelihood and impact) were sound, thus identifying trends on quality of foresight


    Reports on:

    Actual progress against plans and targets

    Also provides a basis for:

    Identifying trends for future resource availability and performance

    An expression of progress towards strategic aims and business goals. Predominantly backward looking.

    A predictor of events that can affect the achievementof strategic aims and business goals.

    Predominantly forward looking.

    This builds an essential understanding of the needs and reporting preferences of the audiences. In particular, it identifies reporting requirements that are in line with strategic aims and business goals. It also improves the CISOs understanding of business drivers and priorities in order to identify common interests and KPI/KRI combinations.


    This enables the CISO to gather, calibrate and interpret information. It also identifies existing reports that can be used to enrich reporting.


    A fictional case study accompanies each phase of the ISF Approach, describing how a CISO uses the approach to align the information security functions priorities with the strategic priorities of the business and answering some of the questions being asked by the board.

    Fictional case study Align information security priorities with the strategic priorities of the organisation Take the time to engage with the right audiences and build a coalition Use the language and terminology of the audience Always ask for feedback to keep reporting relevant and meaningful Treat reporting as an opportunity to develop trust and influence beyond reporting

    Top tips


    Step 1. Understand the business context

    Step 2. Identify audiences and collaborators

    Step 3. Determine common interests

    Step 4. Identify the key information security priorities

    Step 5. Design KPI/KRI combinations

    Step 6. Test and confirm KPI/KRI combinations


    Step 1. Gather data

    Step 2. Produce and calibrate KPI/KRI combinations

    Step 3. Interpret KPI/KRI combinations to develop insights


    Step 1. Agree conclusions, proposals and recommendations

    Step 2. Produce reports and presentations

    Step 3. Prepare to present and distribute reports

    Step 4. Present and agree on next steps


    Step 1. Develop learning and improvement plans

    Phase B: Generate insightsPhase

    A: Es





    C: Cr



    ctPhase D: Learn and improve







    & BOARD

    Produc on

    Finance IT HR Legal ...... Informa onSecurity

    Sales Opera ons Services

  • Engaged Reporting: Fact and fortitude CONTACTFor more information, please contact:

    Steve Durbin, Managing Director

    US Tel: +1 (347) 767 6772UK Tel: +44 (0)20 3289 5884UK Mobile: +44 (0)7785 953 800Email: steve.durbin@securityforum.orgWeb: www.securityforum.org

    Where next?

    Engaged Reporting describes the fundamental components of successful reporting and provides a practical approach for CISOs to engage up, down and across at all levels of their organisations to identify and use relevant KPIs and KRIs necessary for fact-based decision-making. We recommend that the CISO in each ISF Member organisation:

    consider their specific goals for reporting and plan a way forward to achieve Engaged Reporting

    understand the fundamental concepts underlying the approach

    apply the approach: bearing in mind that this is a flexible and iterative process that will evolve in line with changes in their organisation and resulting reporting requirements

    benefit from the reporting indicators and example reporting formats in this report

    give careful consideration to the concepts in this report and consult other related ISF materials including IRAM2: The Next Generation of Assessing Information Risk, From Promoting Awareness to Embedding Behaviours: Secure by choice, not by chance, Information Security Strategy: Transitioning from alignment to integration, Engaging With The Board: Balancing cyber risk and reward and Information Security Governance: Raising the game.

    use ISF Live to share their thoughts, information, articles and other relevant materials, and to debate the ISFs findings in this report.

    Engaged Reporting is available free of charge to ISF Members, and can be downloaded from the ISF Member website www.isflive.org. Non-Members interested in purchasing the report should contact Steve Durbin at steve.durbin@securityforum.org.

    ABOUT THE ISFFounded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organisations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management by developing best practice methodologies, processes and solutions that meet the business needs of its Members.

    ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and developed through an extensive research and work programme. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals individually.