Report Recommendations

egrizzly · November 2021

Hi guys,

So can you all suggest some cyber security reports I can create for our upper management? This ask is especially for those of you in cyber management, or those of you who have dealt with the management types regularly?

I now happen to be the only cyber security guy in our organization, a company providing diagnostic services for the healthcare industry. There are about 5000 endpoints in the security space.

Anyways, I'm a senior engineer. One of my buddy managers in another field told me "...you know upper management they eat reports for breakfast and lunch. If you can get them the right you're good to go". So here I am ladies and gentlemen. A million high fives in advance for your comments, suggestions, recommendations, etc.

E Double U · November 2021

If you are able to link any of your activities to their strategic objectives then are golden. Whether that is showing your progress to resolving an audit finding (i.e. onboarding applications to a centralized IAM tool) or some operations numbers (i.e. SOC incidents, mitigated DDoS attacks, phishing websites taken down, etc).

How does mgmt expect this to be delivered? I have worked in Scrum/Agile environments that delivered this information via a PowerPoint presentation at the end of a sprint and environments that created Splunk dashboards for C-suite. Were you asked to deliver a report or is this your initiative?

egrizzly · November 2021

I was not asked to deliver a specific report @E Double U. The CTO however made a disturbing remark during our monthly meeting that "None of the executives knows what's going on with security. We don't know where we are"

So I'm simply trying to be proactive to show some type of effort to communicate securitys efforts in doing it's part. I don't want to do this on the reactive side when you get that ominous "we need to see something or else...." type of message from the higher ups if you know what I mean.

JDMurray · November 2021

egrizzly said:

Hi guys,

I now happen to be the only cyber security guy in our organization, ...

If these reports are monthly, you will spend--at least--one week per month doing nothing but collecting metrics, converting them into indicators, attempting to find why the indicators changed or did not change from the previous month, and compiling all that work into slides or PDFs for presentation to exes and inclusion into your documentation system so that your (internal/external) auditors can approve. Who will be doing the actual cybersecurity in your org when you are busy doing all of that?

egrizzly · November 2021

@JDMurray I just need one or two powerful ones and I plan on collecting the metrics week-by-week not wait till the last week of the month to do it. Realistically they're short-staffed and it's not realistic to produce the entire array of reports usually requested by executives.

JDMurray · November 2021

Your org will need to determine what "powerful" and "significant" are for it. Business, finance, and legal people are all interested in different KPIs. Do your execs want to see performance and quality indicators by quarter, month, or by week? (Hint: typically by month, so you won't find much time saved by collecting data weekly.) You will want to automate metrics collection as much as possible, but you will be astounded how manual of a process (e.g. dumping CSVs into Excel and filtering/pivoting, copy-paste-graph, etc.) collecting, searching/formulating, and presenting metrics data really is.

UnixGuy · November 2021

It sounds like you work for a small to medium size business, but i could be wrong.

A good start would be, do you have an internal audit? Were there any findings that were closed out? report on them. Did they find nothing? report on that. Do you have compliance obligations, report on them. Is there an initiative to be compliant with any standard? report on progress. etc. Is there a proper security architecture? report on that.

if the environment has nothing but tools, report on tools and what gaps exist and how you plan on close them.

Industry trends are a good one too, you can have a slide or two about the threat landscape. E..g if you work in healthcare, maybe report on latest threats in health care. Talk about the threat of Ransomware and what your organisation is doing to be better prepared.

Have you done a maturity assessment? have you have a cyber strategy? maybe create those and make them part of a report

there is no right or wrong answer.

I'd say because you said you are a security engineer, avoid reporting things like "the firewall blocked 3000 attacks last month" as this doesn't have context. Before giving them a number, ask yourself, what action do you expect them to take when they hear the number?

This is honestly usually the CISO's job but not every company has a CISO. Good opportunity for you to step up and get more visibility if you're interested.

Report Recommendations

Comments