CISO Dashboards: Securing Information One Metric at a Time

January 21, 2016

By Maurice Nagle - Web Editor

In 1995, Citicorp/Citigroup named Steve Katz (News - Alert) as its Chief Information Security Officer (CISO). Katz is credited as the first to hold the title, anywhere. It has been over 20 years, and the enterprise landscape has changed dramatically posing new challenges and threats to a firm’s vision and security. The advent and adoption of burgeoning technology, such as the cloud and “as-a-Service” solutions, is raising the bar for enterprise security.

The CISO is responsible for the implementation and maintenance of the enterprise vision, strategy and minimizing IT risks along the way. Like many in the enterprise, this role relies on technology. The Information Systems Audit and Control Association (ISACA) depicts six outcomes resulting from information security and governance—leaving most CISOs to require their dashboard to keep a laser focus on objectives.

The six outcomes include:

  • Performance Management: monitoring and reporting on security processes to provide objectives are realized.
  • Strategic Allignment: the alignment of business objectives and security efforts.
  • Resource Management: meaning, infrastructure and information security knowledge are leveraged efficiently and effectively.
  • Risk Management: ensuring the proper actions are taken to minimize risk and potential threats
  • Value Delivery: making smart investment in security to provide the optimal return on investment while working toward business objectives.
  • Business Process Assurance: ensure effectiveness and efficiency in the firm’s security initiatives by integrating relevant assurance functions.

CISOs are tasked with educating Senior Management with the status of the firm’s information security investments and the business risks involved. In broad strokes this extends to traditional security concerns, human resources as well as legal and regulatory compliance.

Digging deeper, in order to make effective business operations decisions a CISO requires a wide berth of risk metrics—things like risk identification, quality and service levels, log and patch management, network discovery, attack monitoring and threat management as well as security incident statistics and reaction times.

With such diverse needs, implementing a CISO dashboard is not an open and shut case—at least, it shouldn’t be. It is critical to develop a plan based on information gathered and create a roadmap for the selection process. Review metrics reported by each possible solution and prioritize metrics to develop that coincide with the firm’s business objectives. Put that plan into action by developing metrics, defining each in granularity and develop requirements for visualization. Finally, define data sources and tech requirements before implementation and user training.

Once a solution is implemented, the solution should continually experience optimization. This is the only way to provide reporting is in line with company objectives, as metrics evolve with security capability and the threat landscape. Shifting business priorities, new assets, company acquisitions and new vulnerabilities are several factors serving as impetus for adjustment.

The proper dashboard implementation will be scalable, ready to evolve with the firm. All of this may sound like the obvious, but you’d be surprised how many firms don’t “measure twice, and cut once” when traversing the process. While much has changed since Katz assumed his position, the responsibilities of CISO today are much the same—keeping information secure in an efficient and effective way.

What’s on your CISO’s dashboard?

Edited by Kyle Piscioniere