Q
Get started Bring yourself up to speed with our introductory content.

What should CISOs include in security reports?

Security reports are a good way for CISOs to communicate with the board of directors. Here are specific topics that should be included in the reporting.

A session at RSA Conference 2015 discussed how chief information security officers (CISOs) report to the board,...

specifically looking at what types of information and metrics are presented. A study found that most CISOs focus their reporting on vulnerability management, while incident response plans, compliance audits and specific security projects receive less time and priority; in addition, 12% of CISOs include no metrics at all in their security reports. What advice do you have for making CISO reporting more balanced and actionable? How much of a role should security metrics play in the reporting?

If you were to survey CEOs of the top Fortune 1000 companies and ask them what keeps them up at night, the answer will not be cybersecurity. Their primary driver is to maximize shareholder wealth. The board of directors governs the organization by establishing broad policies and objectives, approves annual budgets, sets compensation packages for company management and focuses on the viability and profitability of the enterprise. Understanding the executive mindset will help you determine what's necessary to include in security reports.

The makeup of a typical board of directors, in addition to the CEO and selected company executives, includes ex-CEOs, pundits in their particular industry and ex-Big 4 partners. The CISO should know who specifically sits on the board. Depending on who they are, their background and interests, the CISO can tailor security reports to provide expert guidance and ensure they understand what risks exists for the company.

Security metrics are critical to collect if for no other reason than to identify the attack vectors targeted at the company. But to report on the minutiae of types of attacks does not provide what the board needs to know in deciding on matters related to the information security program.

A passive board of directors just wants to know if everything is under control and if there are any security matters that should be brought to their attention. They want to know if they are in jeopardy of not being in compliance with privacy, disclosure, data retention or information protection laws and regulations. An active board will approve a charter for the information security program. They will annually approve the information security policy and empower the CISO to deploy the proper level of security necessary to protect corporate assets.

The focus of security reports should be on current risks, compliance, incident response, attack vector experience and evolving risks that the company needs to prepare for. Security reporting should be relevant, comprehensive, flexible and easy to understand.

The information security program should be based on a well-established and industry accepted framework. There are many but one example is the ISO 27002, which is made of ten domains. An information security assessment should be conducted to provide a security report for each domain. The CISO can briefly explain the framework and how each of the domains is calculated but it will be more effective to only show the board a visual representation of the report, such as a pie chart or bar chart. Be on the agenda for every board meeting and show each pie chart from the initial report alongside subsequent reports for a more powerful visual. The board will be able to see the progression in a simplified way. The remaining time allotted for the CISOs report should be used to describe the existing efforts and remediations to progress even more.

Boards are becoming more security-aware. They read the news and wonder if their company will be the next casualty. They look for what they can learn from others to prevent the same from happening to their company. CISOs should ensure their security reports demonstrate that they will not be the next casualty.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Check out five key security reports and how to build them, plus a security report template to help you write an executive report

Get some advice on how to succeed at leadership as a CISO

This was last published in November 2015

Dig Deeper on Information security program management

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think is important to include in security reporting?
Cancel
I think maturity level of the Information Security Program measured against whichever framework(s) you have used to develop your program with an established target maturity level along with current state and roadmap to achieve the designated maturity are key metrics for the board and senior management.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close