What should a security report to executives look like? Are there any resources for security report templates?
I've often found that many executives do not have the time to read extensive written reports on the current security situation for the enterprise. Essentially, they simply need to understand what is coming up that they should be aware of and any key recent events that are worthy of their attention.
The first rule to remember is that most bosses do not like surprises, so one of the purposes of the security report is to minimize surprises for the management!
So, what should the report look like? I have found that a very high-level PowerPoint is the most effective medium. When I was CISO at the Port of Seattle, I recognized that it was hard to keep my bosses aware of the current and future security events, so I devised a simple weekly PowerPoint report that included the following information (usually one subject per page):
- Cover / title sheet – Include the dates the report covers (e.g., "Results: February 15 - 21, 2010" and "Plans: February 22 - 28, 2010"). I also inserted a simple logo of the InfoSec office and the title such as "Information Security Weekly Report." Remember C-level executives see lots of reports, so don't forget to make it clear that yours is specific to the organization's information security.
- Key events for next three months – Break out any key events – tests, meetings, travel, etc. – that you or other iInfoSsec staff will be doing for the next three months.
- Results – Highlight the results from the previous week. For this slide – and for the next slide Plans (see below) – I split the information into two vertical panels. The left panel was for the results of each day of the week by day/date (e.g., Monday, February 22). Then under each day I listed the key events/meetings that occurred that day. On the right panel I included those things that I considered key events – things like project progress, key intelligence (even from outside the company), etc.
- Plans – Similar to the format for Results.
- Key issues/problems requiring management awareness and attention – Put in the headlines and a few sub-bullets of those key items that the management should really be aware of, and perhaps may need to assist with.
Essentially, that is my security report template. I normally prepared it on Sunday nights in order to be ready for the upcoming week and to consider the follow-up actions that last week's activities still required.
I then emailed the report to my executive team, as well as other key managers, such as the network operations manager.
These reports were especially useful during review time, because I had a history collected of actions, results and key issues that helped me demonstrate my performance to the management.
An example of my presentation created by this security report template (.pdf) can be found here.
- Read more about aligning network security with business priorities.
- Get info on how to talk to executives after a data breach.
Dig Deeper on Information security program management
Related Q&A from Ernie Hayden
Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues. Continue Reading
Which will be more likely to further your infosec career: A certification, or an advanced degree? Expert Ernie Hayden weighs in. Continue Reading
While employee termination may be necessary in cases of insecure conduct, most employees are more encouraged by the carrot than the stick when it ... Continue Reading