Security Manager's Journal: A security roundup in 20 minutes flat

Computerworld - You're a security manager with 20 minutes to communicate to the CIO the precise state of your company's security posture. You need to demonstrate that things have improved, but you have to make it clear that things could be even better if you received more funding. The CIO and his staff are hearing from every functional unit under his control, and he'll be extracting key slides for when he goes on to make a similar presentation to the CEO.

How's that for pressure?

This is what happens every quarter in my company, and it's no exaggeration to say that those presentations constitute the most important 80 minutes of the year for me. I think of my 20 minutes each quarter as my opportunity to present our security State of the Union.

I divide my presentation into several sections. The first, a review of my role in the company, takes only a couple of minutes. It might seem like a waste of some of my precious 20-minute allotment, but from time to time, my role is modified, and I like to keep everyone up to date.

Next up are metrics, which are an effective means of communicating the level of information security we are achieving. When I tell the CIO and his staff the percentage of our Windows PCs and servers that are up-to-date with antivirus and security patches, they understand the implications. They know that there's a direct correlation between a low percentage of antivirus compliance and an increase in virus incidents. And having been through major outbreaks in the past, they share my desire to never go through that mess again.

They have a similar understanding when I tell them the percentage of our network that's being monitored by intrusion-detection software and data-loss prevention sensors, or when I tell them how closely we're maintaining our environment to a known baseline configuration.

Another metric of great interest is the percentage of projects that gained my approval during the operational readiness phase rather than late in the project life cycle. That number has been rising, showing that IT is thinking of security in the early stages.

Then I turn to my group's highlights and lowlights. One highlight this quarter was certainly our success in data-loss prevention and how that translates to return on investment (all discussed in more detail in my July 21 column). But I also had successes in obtaining funding for a secure FTP project and in getting security embedded into the project life-cycle management process.

One lowlight was related to one of the highlights: It's difficult to properly operate the data-loss prevention infrastructure without additional head count. Another lowlight this quarter was a nudge directed at the CIO himself, as I communicated my frustration that some policies I had updated had yet to be ratified by him.

And then there's the budget, which is always a lowlight. Without proper funding, it's difficult to execute on previously established road maps, since I have to spend time and energy seeking commitments from other business units.

I conclude with a heads-up slide, which I also refer to as "Watch out, here it comes." This quarter, I revealed some of the findings from a recent security assessment we had done as part of an acquisition. Then I had to give everyone a heads-up about employees' increased use of mobile devices, particularly iPhones. Employees are discovering all sorts of new ways to connect these devices to our network. My message: "Watch out, here comes a new policy."

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Join in To join in the discussions about security, go to computerworld.com/blogs/security.

Read more about Security in Computerworld's Security Topic Center.