With the execution of a newly formulated information security strategy the demand for transparent communication of progress arose for a large client within the energy sector. The client faced several challenges in its current reporting setup.
Firstly, reporting was done completely manual including collection of data and creation of presentations.
Secondly, ownership of the key security indicators upon which the reports were build was dispersed and a total overview of all key security indicators available in the department was lacking.
As a result the opportunity to push the information security posture of the company through reporting was under utilized and large FTE overhead was required each time a report had to be made.
WHAT WE DID
As a first step three layers of reporting, strategic, tactical, and operational were defined by KK. The current reporting setup was reviewed, and a new automated setup was proposed and approved. Prioritization of automation for current reports was done by a steering committee composed of key stakeholders based on the three layers.
Once the desired capability had been defined and current reports prioritized for automation a project plan was devised and approved by the steering committee.
Critical to the success of the capability was a strong data foundation. The following two components were proposed and implemented by KK:
- It was desired to get a clear overview of the metrics available in the InfoSec department and the ownership of these. KK achieved this by creating a “Metric Catalogue”, which acts as the single source of truth for the capability by containing all relevant information, including ownership, on the metrics and data being utilized. A series of interviews were conducted with key stakeholders to provide and define the information and processes were established to maintain the catalogue.
- Automatic reporting was achieved with two components: Firstly, a central data repository in the cloud was created to store all data used for reporting. Secondly, a BI platform was created and connected to this table where reports could be stored in modularized form and updated automatically at pre-determined frequencies.
Once the foundation had been established, KK oversaw the development of automatic integrations to source systems and performed data validation. In conjunction with a dedicated BI expert and report owners KK developed BI versions of the prioritized reports.
Lastly, KK documented processes associated with the maintenance and operation of the capability and roles and responsibilities for these were defined.
With the establishment of the capability a Must Win Epic in the client’s strategy was achieved and the following benefits were derived:
- Well defined, seamless and automated reporting with reduced FTE overhead and need for coordination
- The InfoSec department utilizes the output of the capability for stronger tracking and visibility into the security posture across the company, which can be utilized to provide actionable insights and improve the InfoSec baseline
- One pane of class for the security metrics actors the InfoSec department to improve transparency and cohesion across domains