RSS Alerts

Share

More services

Sarb Sembhi

Job title:
President, ISACA London

Areas of expertise:
Data Quality Vs Data Integrity, converged risk management, protection of employees responsible for protecting critical business assets, threat modelling the critical national infrastructure.

Biography:
Sarb is a Security Consultant and Researcher; he has written papers and articles on various security topics, and spoken at many conferences around the world. Sarb is the current President of the London Chapter of ISACA; a member of the ISSA-UK Advisory Group; Infosecurity Europe 2010 Advisory Council; InfoSecurity Magazine Editorial Board 2009 - 2010; RSA 2010 Programme Committee; Individual member of the Parliamentary IT Committee. He is currently organising the 1st International Secure System Development Conference

Tag Cloud

cloudWiFi SecurityhackingCybercrimeWiFiMalwareSecurityCompliance

Bloggers

Blog

Board Level Security Metrics

Last week I attended the Infosecurity Council and had the previlege of spending some time with many security leaders, and I always find these meeting very interesting, as Iwill always learn something that I didn't know before. This meeting was no exception, before the meeting started, I was chatting with Andrew Yeomans (from the Jericho Forum), and the conversation went on to a feeling that some of the topics covered in several security conferences over the last year had been very similar.

Soon the topic moved on to what is different now in the security industry that is makes a difference in an organisation. As the conversation developed I was left with the following thoughts:

  • Other Board level roles have mature metrics that they are able to call on, e.g. Human Resources (headcounts, etc.), Finance (monthy accounts, budgets, forcasts, etc.), Sales (current, forcast, etc.), R&D (new products, stages of development etc.)
  • Security on the other hand, is not only not represented on the Board, but the metrics are not as mature, and recognised by either the security industry itself, nor even by senior industry practitioneers.
  • Furthermore, most Board metrics that may be provided, will be out of date by anything up to a few days, without any loss in confidence in that Board member, Security metrics however, are only really useful if they are up to date, by up to a few hours.

This got me thinking further, (thanks Andrew), about:

  • What the unofficial norm is across corporates (regardless of the security metrics they use), on how up to date do the metrics have to be to be meaningful to pass on to the Board?
  • What level of confidence do security managers what the Board to have in the security function?
  • Do you provide the same metrics to the business as you do to the Board? If not, which is more up to date?
  • What is the balance between providing threat information and risk information?

Also, by not having a standard set of Metrics as other Board level roles (may) have, are we making it difficult to really understand the organisation's current security posture that the Board can relate to? I was left thinking that maybe we the Security Industry needs to have two lots of Board level Security Metrics, those that we can all agree to, and those that we don' agree on, as they will depend on the business and industry.

There are several people who have done some excellent work in this field, I will report back on this with a list of resources, with the hope of moving the discussion closer to something useful.

Posted 23/11/2009 by Sarb Sembhi

Tagged under:infosecurity,security

RE: Board Level Security Metrics
Posted 16/10/2010 by Avtar Sehmbi
Hi Sarb, what I try and do is to tie up with the firm’s business risk management processes. So tie each technical risk management activity to business operations (as far as I can – there is a limit). So the security report should be tied to the business report structure and not have its own entity when discussing with board level stakeholders. This is to demonstrate that security plays an intrinsic part in business operations and you cannot divorce the two. I do then have a more technical structured and completely security branded report entity for business level stakeholders. I am happy to take you through my reporting approach (not the report of course!) when you come to the firm in Nov for the ISACA meeting ;-) I would also be interested in the metrics you suggest.
RE: Board Level Security Metrics
Posted 14/02/2010 by Brett Kilroe
Hi Sarb, Just wondering if you've had a chance to pull the metrics resources together you mentioned in your blog?

Comment on this blog

You must be registered and logged in to leave a comment about this blog.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012