Creation and automation of strategic cyber security posture report

62

Sector: Life Sciences
Area of expertise: Cyber Security

THE SITUATION

The CISO of a global pharmaceutical company required a formal reporting format for executive and upper level management to:

  1. Provide an overview of the current threat landscape, both from an organisational and global perspective
  2. Give insights on the internal state of the nation.
  3. Provide the opportunity to showcase what kind of work the security organisation conducts, from security operations to advisory.

Kopenhagen Konsulting supported the CISO in the creation of an automated and strategic management report. The security organisation already reported on an operational and tactical level but lacked a strategic format for executive and upper-level management. The delivery approach consisted of three steps.

WHAT WE DID

First, we conducted an analysis of best practices within security reporting and through several management workshops it was decided that the report should contain two sections. The first section was data-driven and consisted of a metric dashboard that highlighted the general security posture in the organisation via a range of different measures. The second section was story-driven and provided an opportunity to highlight selected work of interest done by the security organisation and would be used to give more context than numbers alone could. This also provided a platform for talking with the rest of the business, helped identify new risks, and highlight what was happening outside the security organisation. The two sections would together highlight how security enables the business operating model and strategic goals.

Second, Kopenhagen Konsulting led the development of the data-driven reporting format. Through collaboration with leading experts, the relevant metrics were selected, and the corresponding data requirements mapped. A dashboard was created to accommodate real time presentation of metric visualisations and management reporting. Kopenhagen Konsulting partnered with a specialised BI company to ensure full automation of the metric dashboard. The automation required integration between several technologies, such as security tools (e.g. SIEM) and capabilities outside the security domain such IT service management and case management systems.

Third, the supporting design and process had to be developed and implemented for the case-based section of the report. Kopenhagen Konsulting created categories and labelled stories for inclusion in the report. A standardised process on how input should be provided was outlined to ensure operational consistency. This included the design and creation of presentation templates to contain cases to be included in each report. The input process consisted of several steps, but the main elements were employees providing regular input on cases and management making a final decision on which to include.

THE OUTCOME

The final project outcome was a strategic reporting format for use in both the IT organisation, line of business and the executive office. Both report elements, the metric dashboard and the case-based section, were accessible for all stakeholders via the central cloud-based platform that contained the real-time metrics and the cloud-based repository containing case inputs.

The report also served as a discussion starter with several stakeholders and based on the first presentation a number of protective measures were initiated. The metric dashboard of the report highlighted a systematic issue that affected the overall security posture and based on this the CISO proposed a course of action to upper-level management. The report furthermore enabled the ability to assess historic trends and current progress, both in terms of the overall security posture and regarding specific actions initiated by management.

The strategic report received positive feedback from all stakeholders, and it provided a previously unseen level of transparency into the security organisation, that was otherwise seen as a black box.