I agree Utilizamos cookies para mejorar la experiencia de navegación del usuario y para estudiar cómo se utiliza nuestro sitio web. Si navega por nuestro sitio web, estará aceptando el uso de las cookies en las condiciones establecidas en la presente política de cookies. Esta política puede ser actualizada, por lo que le invitamos a revisarla de forma regular.
¡HI! If you want to propose us a project, send a mail to firstname.lastname@example.org
By Bernardo Ramos, IT security expert
What is the use of reporting in general?
There are three possible answers:
Of course, everyone will say that the third option is the correct one
But in most cases the true answer is the first one without any further aim
If we want to know if we are doing well in terms of cybersecurity, if we really want to use reporting to identify things we need to change in order to progress, then we should build our dashboards to answer three questions:
Depending on the answers, we will be able to identify the necessary actions
How do we structure our scorecards on cybersecurity?
Our reporting should consist of three dashboards, each of which should answer one of the questions listed above.
Each scorecards should have several indicators representative of the risks that threaten our entity
Automation of the calculation of our indicators is a key success factor for truly effective reporting as it will guarantee that they are measured in a permanent and sustained manner.
For each indicator we will identify several reference values:
Here is an example of a reporting system as described above:
The Cybersecurity Scorecard that we present is structured in 3 axes to answer three different questions.
The answers to these questions will give us a diagnosis of our situation and will allow us to identify the actions needed to progress in the protection of our informational assets:
Here are some examples of indicators that could be used in our dashboard. In practice, the choice of indicators will depend on two criteria:
In our example, to answer the first question (Vulnerability) we propose the following eight indicators:
To answer the second question (Compliance), we propose the following nine indicators:
To answer the third question (Reliability) we propose the following eleven indicators:
In order to obtain a graphical representation, we will express each indicator with a value that can vary between 0 and 2.
The value 1 represents the "Threshold" (what we should get when everything works correctly with the existing resources)
A value less than 1 shows a positive performance
A value greater than 1 shows a malfunction in cybersecurity that requires our attention.
We will also define an "Objective" value, which corresponds to what we would like to achieve when we want to do better than the "Threshold". This will require, in general, to do something different, to use additional resources and to take actions that allow us to improve.
Figure 1 (IT Security Scorecard) is a synthesis of the consolidation of indicators for the three axes. There will be one column per quarter for each axis.
To simplify the reading of graphs, we have only recorded values for the first quarter
In this example, we can verify the following:
Figure 2 (Vulnerability Analysis) shows the detail of the indicators corresponding to the criterion "vulnerability"
Figure 3 (Compliance Analysis) shows the detail of the indicators corresponding to the Compliance criterion.
We noticed a problem with the indicators "Users with local admin", "Security updates" "Uncertified sites" and "Servers with vulnerabilities".
From this information, we can define the corresponding action plans to correct the anomalies.
Finally, figure 4 (Reliability Analysis) contains the details of the indicators corresponding to the criterion "reliability"
The only indicator to monitor would be the number of security crises formally activated during the period. An analysis of them will tell us if we have to act and in what sense.
What we describe above looks beautiful and with it, in theory, we would have a magnificent monitoring system that would give us an accurate picture of our situation regarding cybersecurity and alert us promptly when it would be necessary to take additional measures to keep our information assets properly protected.
But reality is more prosaic:
In short, the rigorous reporting on cybersecurity is uncomfortable for most of the actors involved and we need still many years before we generate a culture that leads to it.
by Albatian Feb. 19, 2017
by 4 May 9, 2017
by Albatian Jan. 10, 2017
by Albatian Nov. 14, 2016
by 4 July 9, 2017
by 4 Sept. 18, 2017
by 4 Jan. 7, 2020