Hidden C/S: Management Reporting
This post is part of a series about aspects of cybersecurity which are not obvious, especially to newcomers.
This post is about the cybersecurity aspects of management reporting, by which we mean "managing up" through information presentation.
What does cybersecurity have to do with management reporting? To answer that question, let us go down the cybersecurity chain from start to finish.
(1) Senior management signs off on a cyber asset as critical, which means that the asset is to be protected from at least one specific risk. This is Identify in the NIST CSF.
(2) Someone in the cybersecurity program (CSP) assigns a "control" to that risk for that asset. This is Protect in the NIST CSF. This step includes agreeing on what constitutes proof that the control is effective.
(3) Monitoring that control becomes part of someone's job. This is Detect in the NIST CSF.
(4) Sharing the results of that monitoring, the evidence which makes your CSP evidenced-based, with a supervisor becomes part of the same someone's job on which their performance is judged.
(5) Summaries of that evidence joins all the other management reporting used to keep senior management in the loop.
Management reporting comes into play in item (4) above. Most of the Cyber Defenders (practitioners of cybersecurity) are comfortable reading logs and gathering evidence. Most of the Cyber Defenders are comfortable talking to their peers about that evidence. Where communication tends to be weak is between the front line folks and their supervisors.
Engineers are taught how to communicate effectively with other engineers. We have a shared background and concepts, vocabulary and jargon. We are not taught how to communicate effectively with people who do not share our background and concepts, let alone our vocabulary or jargon.
But a formal Cybersecurity Program (CSP) depends on good communication both up and down the hierarchy. The people doing the protecting need to be protecting the agreed-upon assets from the agreed-upon risks using the agreed-upon procedures, so the priorities needs to be communicated clearly down the hierarchy. Not merely stated, but communicated.
The formal CSP depends just as much on good communication up the ladder in order to give leadership confidence that the protecting is happening and that the protecting is effective.
This means that your CSP assumes and requires that your front line people can effectively describe and convey the evidence they use to prove that they are not only complying with their job requirements, but actually protecting the organization's assets from threats and vulnerabilities.
Don't assume that your engineers know how to effectively communicate technical information to non-technical supervisors. Make sure that they can and help them if they cannot. Evidence-based security only exists where the evidence is gathered, correctly analyzed and effectively communicated.
Pythia Cyber can help you on both ends: producing evidence that makes sense and making sense of the evidence you produce.
Comments
Post a Comment