Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Reporting to Senior Management

From: kurtis.myers () us army mil
Date: Wed, 1 Oct 2003 08:07:34 +0200 
I have prepared statistical briefs of various security measurements and
believe a good method is to identify the bottom line of information that is
important to your management and its operation; i.e. if its finance...what
do the numbers mean to accounting in the way of threat to continuous
operation, integrity of data, and confidentiality of data.  Another aspect
of reporting is to determine what interests management; the good news..."all
AV signature files are current" or just the facts of the bad news..."We've
identified 30 instances of Blaster on our networks".  I always liked to put
the positive twist on statistics; the glass is always half full.  As any
good staff worker knows....don't ever identify a weakness unless you know
how to fix or mitigate the risk (we all know the less it cost, the better
chance for the "buy in").

I also agree with the concept of salesmanship in security; if it was any
other product how prosporous would/could we be??  Just my thoughts on the
topic.

Kurtis Myers
Information Assurance 
  Officer
66th MI Grp

-----Original Message-----
From: Kris.Kendrick () midfirst com [mailto:Kris.Kendrick () midfirst com] 
Sent: Wednesday, October 01, 2003 12:31 AM
To: security-basics () securityfocus com
Subject: Reporting to Senior Management


All of us in this field understand that Information Security is viewed by
our superiors as alot of "needed" overhead.  But as security folks, we need
to be able to sell our product on a seemingly daily basis.  We struggle
showing any added value or ROI to information security unless something
"bad" happens to our networks.  I am currently tasked with reporting log
aggregation to senior management (information such as DAT file status for
our anti-virus software, security log review on various critical servers,
RAS access reviews etc).

Do any of you have any suggestion as to how to present this information to
senior management?  Are there any tools out there that would be useful to
report network security activity besides expensive solutions such as
Bindview and Pentasafe.

Thanks
Kris


---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: