Computerworld -
Issue: The CIO's understanding of the company's security posture comes from the metrics provided each quarter.
Action plan: Take the time to review the metrics whenever possible.
The best way for my company's CIO to know details of our information security posture is for him to receive meaningful metrics in the quarterly IT scorecard. The information security metrics are my responsibility. Whenever I can, I like to review what I am gathering -- and, therefore, what I am telling the CIO about our security strengths and weaknesses.
I had such a chance over the past two weeks. One thing I want to be sure of is that my metrics aren't met with a "So what?" I also purposely keep them to just a handful. The CIO and other IT managers don't want to be deluged with data, and my experience has been that CIOs don't care about things like how many port scans the intrusion-detection system (IDS) has uncovered. Our CIO wants to be aware of the company's susceptibility, and I want him to be able to judge the return on investment for our security infrastructure.
But if I had to narrow it down to one security thing that the CIO really wants to know about, I'd say it's viruses and our susceptibility to a virus attack. Why? Because a virus attack takes up hours of IT resources and makes the IT department look bad.
I had been reporting on patch and virus compliance only for desktops. In this review of the metrics, though, I decided to add Unix and Windows servers. The report on patch compliance will now read, "Percentage of managed systems that have required patches installed, per policy," and it will break down into three categories: desktops, Windows servers and Unix servers. That will show rather dramatically how weak we are in Unix patch compliance. Our Unix environment is very fragile, and attempts to install patches often lead to problems with applications.
The next metric also focuses on viruses, reporting on the percentage of managed desktops and servers with the latest virus engine and pattern file. I am sure that our CIO is aware that there is a direct correlation between the lack of an updated pattern file and virus incidents.
From there, the metrics will shift to report on our ability to effectively monitor the network for unauthorized activity. Our CIO shelled out more than $100,000 for our IDS deployment, and I want to make sure he knows that what we got for that money falls short of 100% coverage. Therefore, I will be sending him reports on the percentage of external access points covered by the IDS and on the percentage of time we spend analyzing data for each sensor.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
