What should a security report to executives look like? Are there any resources for security report templates?
I've often found that many executives do not have the time to read extensive written reports on the current security situation for the enterprise. Essentially, they simply need to understand what is coming up that they should be aware of and any key recent events that are worthy of their attention.
The first rule to remember is that most bosses do not like surprises, so one of the purposes of the security report is to minimize surprises for the management!
So, what should the report look like? I have found that a very high-level PowerPoint is the most effective medium. When I was CISO at the Port of Seattle, I recognized that it was hard to keep my bosses aware of the current and future security events, so I devised a simple weekly PowerPoint report that included the following information (usually one subject per page):
Essentially, that is my security report template. I normally prepared it on Sunday nights in order to be ready for the upcoming week and to consider the follow-up actions that last week's activities still required.
I then emailed the report to my executive team, as well as other key managers, such as the network operations manager.
These reports were especially useful during review time, because I had a history collected of actions, results and key issues that helped me demonstrate my performance to the management.
An example of my presentation created by this security report template (.pdf) can be found here.
03 Feb 2010