Is it beneficial for internal security teams to share detailed attack and incident metrics with the rest of the company?

Security & GRCSecurity Strategy & Roadmap
2.2k views3 Comments
CIO/CISO in Healthcare and Biotech, 11 - 50 employees
It's not only beneficial, its absolutely mandatory at this point in time, at least at a rolled-up level that is all part of a comprehensive information security program. It's not necessary to get too deep into the weeds, but this is critical to the education of all business units as to the threats to their specific business operations. For far too long we've ignored the "people" part of "people/process/technology" paradigm; its time to leverage these folks to understand the urgency of having them buy in to the overall program. 
1
vCIO, Infrastructure Architect, Manager in Services (non-Government), 1,001 - 5,000 employees
Absolutely! If nothing else at least the broad strokes or a copy of the Executive Summary should be shared with everyone. Not everyone will understand the deep workings of the attack, but sharing with everyone allows "everyone" to understand how and what happened, allowing them to learn in the process. The users are the first line of defense, so you have to keep them involved so you have their buy in and support.
1
CIO in Education, 501 - 1,000 employees
An effective information security program must build and retain the trust of the organization and the organization’s customers. Chief Information Security Officers (CISO) should lead with a customer-centric security mindset to protect an organization’s reputation and long term credibility. The main goal of an information security program should be to foster a security-first mindset across the entire organization to better manage risk. Reporting security posture metrics to both organizational leadership and the organization’s governing board is the KEY responsibility of a CISO. CISOs need to establish reliable metrics that can effectively communicate the security posture of an organization.

There are several types of metrics that can effectively communicate the current state of organizational security posture. The most critical metric is the time to assess and eliminate security incidents. The quicker security issues are detected and resolved the lesser the potential damage to an organization’s security posture. Another critical metric to communicate is the number of reports of suspicious activities by employees. Keeping track of the percentage of employees in an organization who report suspicious emails is a great way to assess how prone an infrastructure is penetration and how aware employees are to phishing attempts.

Reporting on vulnerability patching indicates how fast security issues have been resolved and how many remaining issues require patching. Organizations that patch regularly are LESS likely to sustain infrastructure attacks. The last metric to report is the risk to the infrastructure due to third-party companies associated with an organization. Most organizations have processes outsourced to other organizations, such as supply-chain, which expose an organization to the risk of invasion. Some recent studies indicate that approximately 51% of businesses suffered a data breach caused by a third party.

Content you might like

We are looking into implementing Wecom / Wechat for Work for our Chinese employees, however we are having difficulty meeting our basic security requirements for SaaS solutions. Has anyone found a reasonably elegant solution to a) provision users through an IGA tool, b) federate with an SSO platform like Okta and most tricky c) send some form of security audit trail to a SIEM? Should we be thinking about this through a different paradigm?

Security & GRCEnd-User Services & CollaborationApplications & Platforms
799 views

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

People & LeadershipStrategy & ArchitectureCloud+57 more
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
142 19 Replies
Read More Comments
42.6k views131 Upvotes319 Comments

What are some of the most pressing issues in 2023 and next 3 years in IT?

CloudApplications & PlatformsData & Analytics+7 more

Cyber Security37%

Cloud Computing/Cloud Migration45%

Artificial Intelligence (AI) and Machine Learning (ML)67%

IoT (Internet of Things)30%

Digital Transformation:35%

WFH/Remote Work16%

Legacy Systems Modernization12%

Data Management11%


184 PARTICIPANTS
2.1k views

Does the risk of Ransomware and malware propagation bother you? Is IoT security a top of mind for you? To protect against many risks, we have witnessed success of micro-segmentation in the data center. Would you be willing to deploy similar solution for the campus? I am very curious to get your feedback?

Security & GRCThreat & Vulnerability Management
Read More Comments
3.2k views5 Upvotes5 Comments

Have you used ChatGPT yet for work or at home for personal use?

Peer InsightsSecurity & GRCStrategy & Architecture

Yes - many times and I love it.19%

Yes - a few times, and I'm excited about the possibilities.59%

Yes - and I have some things I like and some concerns.15%

Yes - and I have major security / privacy and /or other concerns.2%

Not yet.4%


136 PARTICIPANTS
436 views2 Upvotes