Is it beneficial for internal security teams to share detailed attack and incident metrics with the rest of the company?

2.2k views3 Comments

CIO/CISO in Healthcare and Biotech, 11 - 50 employees
It's not only beneficial, its absolutely mandatory at this point in time, at least at a rolled-up level that is all part of a comprehensive information security program. It's not necessary to get too deep into the weeds, but this is critical to the education of all business units as to the threats to their specific business operations. For far too long we've ignored the "people" part of "people/process/technology" paradigm; its time to leverage these folks to understand the urgency of having them buy in to the overall program. 
vCIO, Infrastructure Architect, Manager in Services (non-Government), 1,001 - 5,000 employees
Absolutely! If nothing else at least the broad strokes or a copy of the Executive Summary should be shared with everyone. Not everyone will understand the deep workings of the attack, but sharing with everyone allows "everyone" to understand how and what happened, allowing them to learn in the process. The users are the first line of defense, so you have to keep them involved so you have their buy in and support.
CIO in Education, 501 - 1,000 employees
An effective information security program must build and retain the trust of the organization and the organization’s customers. Chief Information Security Officers (CISO) should lead with a customer-centric security mindset to protect an organization’s reputation and long term credibility. The main goal of an information security program should be to foster a security-first mindset across the entire organization to better manage risk. Reporting security posture metrics to both organizational leadership and the organization’s governing board is the KEY responsibility of a CISO. CISOs need to establish reliable metrics that can effectively communicate the security posture of an organization.

There are several types of metrics that can effectively communicate the current state of organizational security posture. The most critical metric is the time to assess and eliminate security incidents. The quicker security issues are detected and resolved the lesser the potential damage to an organization’s security posture. Another critical metric to communicate is the number of reports of suspicious activities by employees. Keeping track of the percentage of employees in an organization who report suspicious emails is a great way to assess how prone an infrastructure is penetration and how aware employees are to phishing attempts.

Reporting on vulnerability patching indicates how fast security issues have been resolved and how many remaining issues require patching. Organizations that patch regularly are LESS likely to sustain infrastructure attacks. The last metric to report is the risk to the infrastructure due to third-party companies associated with an organization. Most organizations have processes outsourced to other organizations, such as supply-chain, which expose an organization to the risk of invasion. Some recent studies indicate that approximately 51% of businesses suffered a data breach caused by a third party.

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
42.6k views131 Upvotes319 Comments

Cyber Security37%

Cloud Computing/Cloud Migration45%

Artificial Intelligence (AI) and Machine Learning (ML)67%

IoT (Internet of Things)30%

Digital Transformation:35%

WFH/Remote Work16%

Legacy Systems Modernization12%

Data Management11%



Yes - many times and I love it.19%

Yes - a few times, and I'm excited about the possibilities.59%

Yes - and I have some things I like and some concerns.15%

Yes - and I have major security / privacy and /or other concerns.2%

Not yet.4%


436 views2 Upvotes