Lack of Confidence in Metrics Leads to Reporting Problems
When was the last time you felt confident reporting on your organization's security posture and needs?
According to a Ponemon survey, 54% of IT and security pros aren't convinced the metrics they're tracking adequately convey the true state of their security efforts. (There's no data to reflect how confident Phil feels about his own shadow/no shadow metric, but based on the fact his predictions are incorrect 60% of the time, that doesn't give us much reason to take stock in his reporting.)
There are various reasons IT and security pros cite for not using more accurate metrics, but the most common is surprising: It simply isn't a top priority.
What makes that such a discouraging answer is that without having the right goals and metrics in place you're essentially throwing darts at a dartboard with a blindfold on. You have no hope of being certain your efforts are being focused on the right things and that they are actually yielding positive, meaningful results.
Before you know it, that can lead to a pattern where you're generating a lot of effort (and potentially burning through a big chunk of budget) without clear, measurable progress to show for it.
3 Keys to Better Reporting & Breaking Out of the "More Money, Same Problems" Loop
To avoid getting trapped in your own version of a Groundhog Day time loop you need to do three things:
Identify the most effective metrics to track progress against those goals.
Establish a regular cadence for reviewing and reporting on that progress.
That may sound simple, but as the difficulties cited in the Ponemon survey indicate, it's obviously not. Taking a closer look at that list, however, it becomes clear the majority of reporting obstacles are either communication or prioritization issues that can largely be addressed by doing these three deceptively simple things.
(The two reasons toward the bottom of the list may in fact be tougher nuts to crack, but developing further clarity around your needs and goals can potentially help with those, as well.)
The Benefits of Steady, Streamlined Security Reporting
Establishing an effective reporting structure and rhythm does require a healthy amount of work up front, but it's necessary to ensure your future efforts are meaningfully productive and aligned with your needs. As much as possible, keep things simple, and strip out anything in your reporting that doesn't reflect directly on performance against your top objectives and goals.
Security cannot be approached as a one-and-done activity. As nice as it is to imagine we can simply check off a series of boxes and move on, that’s unfortunately not how it works. Every day, new attacks are discovered and new vulnerabilities exposed. To keep up, you need to adopt an incremental, reflective, and iterative approach that provides you with regular opportunities to learn, adjust, and improve.
At the end of the day, that's what good reporting is all about.