Today, cybersecurity, risk, and data protection are issues that are on upper management’s radar. Seeking to minimize the potential for business disruption, board members are getting more involved with the organization’s security program. Recent surveys indicate that 65% of companies are recruiting board members who are knowledgeable about security issues.
As a result, IT teams must prepare for management discussions that summarize the organization’s readiness to address security concerns across a vast, cloud-enabled landscape of users, applications, data, and threats. These discussions must do more than deliver a quarterly review of KPI’s, because they want to measure performance, map strategies to execution, and assess if things are going in the right direction. And if the numbers are not good, they need to know what they can do to make it better.
Unfortunately, these insights are often hard to obtain, because many security teams are dealing with reporting tools that produce some, but not all, of the information necessary to confidently engage in such comprehensive conversations. It always seems like there are knowledge gaps, often because the information is not available or not easily attainable. And the time spent every week producing reports and manipulating large volumes of data in spreadsheets is taking time away from the core mission of protecting the organization.
Understanding the role of analytics and reporting
Why is it so difficult to coax these answers? There are reporting tools in virtually every security product that an organization owns. But reporting is not the answer to every question, and the reasons why are not always apparent. Reporting is designed to answer very specific questions, and SecOps are increasingly being asked for dashboards that require analytics. Understanding where analytics can help is the first step towards building better, more effective communication with the management team.
The objective of reporting is to summarize the content of large data sets, which is useful when you need to get an understanding of what’s going on at a given point of time. The question is already known beforehand (such as “Top 10 DLP events”), so the process to generate the report is predefined and hardcoded. It also means that the data set to be analyzed is known in advance, the query against that data is predefined (counting the number of DLP violations), the variables that can be used to customize the query are predefined (a reporting tool might allow a range of dates, but not the flexibility to specify a range of weeks), and the format of the results are fixed (such as how