You Are What You Report: Marketing the Value of Information Security

Authors:
Jim Webb
Published:
Monday, November 20, 2017
Columns:
Cybersecurity and Privacy
min read

Regular and effective communication between information security programs and executive leadership is a critical success factor for any information security program. However, information security practitioners in higher education often face a challenge when telling their story and connecting their important contributions to their institution’s mission and objectives. This challenge is often based on several factors:

  • An information security program's successes in areas like cybersecurity and risk management are rarely evident and are often difficult to understand.
  • Executive leaders (e.g., boards, cabinets, presidents, chancellors) have a broad purview, and information security reporting must be timely, accurate, and, often most challenging, brief.
  • Information security programs generally express their contributions in terms of metrics based on security operations activities, process maturity modeling, or compliance tracking. While these are all valid and valuable metrics, these measurements rarely connect directly with issues that are of the most importance to executive leadership.

This short post explores value-based information security reporting, which represents a focus on establishing narratives of information security excellence in relation to three key themes:

  • Shared security successes
  • Security enablement
  • Executive leadership priorities and themes

Each report item is covered briefly below. A report sketch is also provided to help stimulate some ideas on how you can frame your successes in a new light, whether it's in meetings with leadership or with "elevator speech" opportunities.

Shared Security Successes

Information security successes are almost never solitary endeavors but involve important partnerships. While it may be tempting to highlight the contributions of the information security team (especially if perhaps the lion's share of the work has fallen to your team), it is often more important to ensure that leadership sees these contributions as collective wins. This accomplishes several important objectives:

  • It stresses the connectivity of information security in protecting the core-to-mission objectives of academic, research, and administrative areas.
  • It demonstrates the information security team's ability to foster the values of collaboration and collegiality that are integral to higher education culture and hallmarks of successful projects and endeavors.
  • It encourages continued engagement from campus partners, as they have seen how security collaboration offers broader recognition of their own efforts to help protect institutional data and reputation.

Security Enablement

Information security is often viewed through a lens of what is prevented. However, it is equally important to also be able to highlight how the contributions of information security programs build trust and resiliency and support informed selections of risks. This type of reporting necessitates taking in the big picture of how information security's risk management activities help decision makers exploit greater efficiencies and expand information service functions while also maintaining a desirable risk balance.

Here are a few important considerations when looking at how you can reflect these value contributions:

  • Success narratives in this area demonstrate a focus on seeking a pragmatic balance between risks and opportunities. To that end, it is very important that equivalent time and effort is spent understanding and relating the value proposition of an information need as well as its risk implications.
  • The partners you work with on these initiatives are often your best source for perspective in this area. Their insight and external vantage point are invaluable to better see how your own efforts support their endeavors, needs, and decision-making ability. Periodically reaching out to collect and discuss the goals and strategic plans of institutional units can be a great step to look for areas where your team can help safeguard the success of important endeavors.
  • It is requisite that your risk management methodology has developed sufficient formalism to ensure that risks are consistently analyzed, ranked, and communicated in a common manner. (Some great ideas and tips on furthering your risk management methods can be found in the EDUCAUSE Information Security Guide.)

Executive Leadership Priorities and Themes

It may sound like a no-brainer that you need to pay attention to leadership priorities and themes. However, when was the last time you really listened to and reflected on the objectives that your leadership set forth in meetings, public speeches, or strategic planning materials? Quite often, executive leadership will continually reinforce and reiterate key concepts, values, and institutional objectives to campus populations. When listening to your leadership communicate high-level objectives, it is especially fruitful to develop the habit of immediately considering how information security can contribute to success in these areas. In this day and age, every organizational objective invariably has some information dependency. While student retention objectives on the surface may not sound like information security issues, once you begin to tease apart how these objectives are pursued, information protection and assurance needs become very clear.

When you listen carefully and reflect key organizational goals within your own information security plans, you demonstrate that you are able to connect your work at the highest level of your institution's goals and mission. This is especially valuable to executive leadership, as it reaffirms trust that your program is connects with, aligns with, and supports these high-level objectives. Additionally, often by listening to and adopting the communicative themes used by leadership to explain information security contributions, you help your leadership see the relevance of information security efforts to their own strategic priorities.

Value-Based Report Sketch

The following "report sketch" is intended to generate some ideas on how you might frame your team's successes in a manner that highlights the three key themes listed above. Thinking through some of these report questions may help you consider new ways to relate your successes in a way that truly connects with leadership.

Some general report tips:

  • Keep it short
  • Keep it simple
  • Avoid jargon and acronyms
  • Measure graphics or charts by the quality of the questions they bring forward

Sample Quarterly Information Security Report

Reporting Examples

Security Support for Strategic Goals and Key Objectives

  • What are the key goals and priorities for your institution or unit?

  • What values, objectives, and communicative themes does your leadership use to explain and motivate action toward these goals?

  • How is your work supporting these objectives? How are you trying to help secure and protect success in these strategic areas?

Recent Campus Collaboration Work

  • Who did you partner with to perform risk or security reviews, develop new security solutions, or conduct incident response?

  • Which governance or collaboration groups may have helped you review policy, standards, and guideline development?

  • What sort of trends have you noticed while working alongside institutional partners? Are there commonalities in security needs or challenges that executive leadership would find interesting or revealing?

Security Enablement

  • Did your risk assessment activities uncover good security practices that provided greater confidence in adopting a new service or approach?

  • Did you find areas where low-risk and high-reward outcomes were possible?

  • Did you introduce new security capabilities that act as a foundation to enhance security of other services?

Sidebar Reporting Ideas

In the News
What are some of the security events or issues that your leadership may have read about? Did they happen on your campus? If not, was there a control or approach that helped to prevent it? Concisely reporting this can help enhance awareness of security value.

Security Opportunities
What are your security funding needs or challenges? How does executive leadership support of these security initiatives also support key institutional objectives?

James Webb is the chief information security officer at Appalachian State University.

© 2017 James Webb. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.