Scribd Logo
Upload

Welcome to Scribd!

  • 113 views

    Sina Manavi

    Uploaded by

    Lawrence See
    This document discusses how to create an effective CISO dashboard and security metrics program. It recommends selecting metrics aligned to organizational objectives and defining controls and measures that are specific, measurable, achievable, relevant and time-bound. The document also cautions that metrics without follow up action are useless, and discusses tailoring reporting and metrics to the appropriate level of detail for different audiences such as boards, C-suites and operations leads.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Sina Manavi

    Uploaded by

    Lawrence See
    113 views15 pages
    This document discusses how to create an effective CISO dashboard and security metrics program. It recommends selecting metrics aligned to organizational objectives and defining controls and measures that are specific, measurable, achievable, relevant and time-bound. The document also cautions that metrics without follow up action are useless, and discusses tailoring reporting and metrics to the appropriate level of detail for different audiences such as boards, C-suites and operations leads.

    Original Description:

    Profile

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document discusses how to create an effective CISO dashboard and security metrics program. It recommends selecting metrics aligned to organizational objectives and defining controls and measures that are specific, measurable, achievable, relevant and time-bound. The document also cautions that metrics without follow up action are useless, and discusses tailoring reporting and metrics to the appropriate level of detail for different audiences such as boards, C-suites and operations leads.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    113 views15 pages

    Sina Manavi

    Uploaded by

    Lawrence See
    This document discusses how to create an effective CISO dashboard and security metrics program. It recommends selecting metrics aligned to organizational objectives and defining controls and measures that are specific, measurable, achievable, relevant and time-bound. The document also cautions that metrics without follow up action are useless, and discusses tailoring reporting and metrics to the appropriate level of detail for different audiences such as boards, C-suites and operations leads.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 15

    CISO

    Dashboard and
    Security
    Metrics
    Sina Manavi
    13th Oct
    Speaker
    • Sina is a Senior Manager – Group Information Security
    Governance Team at AIA.
    • Worked over decade in the Financial and Banking sector,
    government agencies and SME
    • Areas of Expertise, Former Pentester, IT Security Risk and
    Governance, Security Posture Assessment, Cyber Threat
    and Vulnerability Management, Cyber Threat
    Intelligence, and Public Speaking
    • Sina also serves number of clients as vCISO in Strategy
    Planning and Digital Security Transformation.
    • Common CISO Questions
    • Control and Metric
    • Know Your Organization

    Agenda • Key Security Objectives


    • How to Select Key Security Metrics
    • CISO Dashboard
    • Know Your Audience & Reporting
    What CISOs are being asked
    Organization
    Top Risk

    Cyber Risk Posture


    Resiliency Trending

    Tools Budget

    CISO

    Regulatory
    and Risk Level
    Compliance

    Business
    Competitors
    Objective

    How to answer these question? Proper Risk Control and Metrics Framework
    Controls and Metric

    Controls: Metric: Key Risk Indicator (KRIs): Key Performance Indicator (KPI):

    Define what need to be measured to A measure to compare against a standard Define potential risk related to specific It usually define the performance and
    meet Organization objective action timeline, SLA
    It also define the threshold
    Cannot Measure
    Cannot Improve
    Read it again
    Know Your
    Organization
    • Different organization has different
    business objective
    • Not all organization has same Risk
    Tolerance
    • Different Organization, Different Risk,
    Different Respond
    Know your Organization
    Define Control Library and Measurement
    Know your Audience
    Report Accordingly
    Security Metric Objectives
    Representing the Overall
    ROI and Effectiveness of Track IS Program and
    Security Posture and
    IS Program Project Progress
    Maturity

    Better Resource To Identify and Improve


    Risk Response
    Allocation (specially on Process/Controls Gap by
    Prioritization
    people & budget) using Metric

    To Meet Regulatory and


    Compliance
    Requirement
    Specific: What exactly do you want to achieve?

    Measurable: How will you identify that you have


    achieved your goal?
    Good metrics Achievable: Is your goal really attainable?
    should be SMART Relevant: Is it relevant to you or, in other words,
    does it align with where you want to be?

    Time-bound (or timely): When will you deliver


    your goal, and what are the key milestones?
    • Identify: how good we are in Identifying Threats
    • Protect: to what extend we are protected
    • Detect: can we detect an incident? How fast?
    • Respond: what incident we can/cannot respond on
    NIST Cyber timely manner effectively
    • Recover: how good we are in resiliency
    Security • “”Where we need to focus and allocate more resources
    Framework to meet the Gap”"
    The more you know
    The more you can decide strategically
    The more you grow
    Security Metric Challenges
    1. Lack of Awareness on calculation methods
    2. Shock and Awe Metric with no proper Context (5,000
    vulnerability?)
    3. Difficult to translate different metrics based on the
    Audience
    4. Obtaining reliable data is difficult (e.g. inventory, Visibility)
    5. CMMI Maturity Model may not reflect the actual risk in the
    Environment.
    6. Metrics without follow up action is useless
    7. Solely IS Awareness and Training are not necessarily
    effective.
    What a CISO Dashboard MUST have
    • Vulnerability Management & Number of Exploitable Crown Jewels
    • Mean Time to Patch
    • Security Tools Health State
    • Policy Violation & Exception and Time window
    • Regulatory and Compliance State
    • Open Audit Issues
    • Open Critical and High Incidents and Investigation
    • Effectiveness of IS Awareness and Training
    • % of Phishing Assessment Effectiveness
    • Budget Consumption
    • 3rd Party Vendor Risk Management
    • Meantime to Detect and Respond to Potential Threat Effectively
    • Privilege Access Monitoring and controls
    • Key Security Initiative Project Tracker

    Integration and Visualization tools will be your Guardian Angel


    Know Your Audience & Reporting
    • Good Metrics should be able translated for different Audience
    Board
    • Answer how good the security is based on your Audience
    interest
    • Represent the only Key Interest Metrics
    C-Suite

    High Level Details


    • Less is more, not everyone needs technical details.
    • Understand what your Audience want,
    • Understand the awareness and understanding level of your
    Mid Management
    Audience
    • Never Assume, always verify
    • If your audience is senior management and board/c-suite be Op Lead
    ready to present in $ metrics rather than HML.
    • Visualize your metrics and risk Level

    You might also like