Filtering out negative facts is another staple. No one wants to be the bearer of bad news, though for too long security teams have done just that. As a result, security has gotten a "chicken little" reputation of always screaming the sky is falling. Afer a while, we move from chicken little to the "boy who cried wolf" and no one pays attention. This is certainly borne out in the survey answers.
For me, though, the most surprising responses were on when the executive team meets with the security team:
Over 50% of respondents said they meet with the senior executives only when a serious risk is revealed, or that they don't communicate at all. Eek, that is scary. Scarier still is that only 13% of organizations have regularly scheduled meetings.
The rest of the report is chock full of more great information and insights. I had a chance to speak with Jody Brazil of Firemon and Jerry Skurla, VP of marketing at Firemon, about the survey. Firemon seeks to provide proactive security intelligence to organizations. Deciding what the correct information is for different audiences is something the Firemon team has spent a lot of time and effort on. Overall, Jody says the problem is we have done a lousy job of defining what metrics are really important. That is a threshold question to answer before we can tackle how to best convey that information to executives.
Until security teams can get their heads around which information is important and then tackle how to best show it to the executive team, we are destined to repeat many of the failures of the past. That is too bad. Let's hope for all of our sakes that we begin to answer these questions soon.
Source: Network World