Sometimes for fun, I like to concatenate as many buzzwords as possible. How about: our cloud GRC dashboard provides risk intelligence leveraging big data visualization. I bet someone has a copyright on that one! I don’t mind general terms as long as the author gets to the details quickly. So when I say Security Executive Dashboard, I mean:
- What: Two page, printable document to communicate key messages e.g. current state, performance, trends, and progress against plan. It can be viewed on line but I prefer the tactile option if you have high quality color printing.
- Who: For non-IT Security leadership. The dashboard should convey its points without CISO assistance. This is difficult but very important.
- Why: IT security is a cost center with a difficult ROI story that usually gets the spotlight when something goes wrong. It’s important to communicate between these times to demonstrate your contribution to the organization, set expectations, and communicate key messages. A successful dashboard is difficult to measure. One measure may be the effectiveness of your budget process. I can’t promise your budget will increase but the outcome should be in context of the business vs. arbitrary allocation when budget leaders are well informed.
- When: Quarterly updates, revisit graphics and format annually.
I’ve helped build a few of these over my career, one earlier this year. The fascinating part is how different each was. Given the target audience, the dashboard is a powerful communication vehicle and must match the political tone each CISO wants to set. That’s why I titled this “your” dashboard. There’s a whole menu of stories to tell. The trick is identifying the four or five stories that support your organization best.
Before I get into the menu of options, here are a few items dashboards have in common:
- Visually appealing: more eye candy the better to attract attention and convey a polished message. Yes, sometimes I feel more like a powerpoint jockey than a security pro. I’m sorry but if it’s ugly or an eye chart, the only thing communicated will be your career ceiling. Depending on your budget, sometimes a professional graphics designer is needed to make the story pop. Remember though, this is a living document and requires updating. Is sustained spending for graphics design the best use of resources?
- Hub-spoke process: odds are the dashboard will stress the team because they’re a pain to update – no matter how much you automate. Please do appoint one person to collect updates.
- Desire to automate: Depending on the stories you want to tell, your automation options may be limited. Faster-cheaper is always the goal. However I suggest not worrying about automation to start. If you tell the right stories, you’ll have an easier time justifying an investment to automate. Strategic dashboards leverage automated data but crafting the deliverable is usually manual.
Let’s jump into the menu. I prefer a present-past-future approach to my stories. I try to give each story a graphic and a text area to close the story. By “close,” I mean the ability to answer questions, not generate them. This is actually a good QA technique; does this visual raise any questions?
- State of Security: What’s going on across your team? Red, Yellow, Green icons followed by key sound bites. Highlights and Issues fit here also. I prefer a table design for readers to quickly navigate.
- Security Events & Incidents: If you have the means to quantify the volume, type, and man-hours to investigate events, this can tell a great story. An even better story is to classify incidents by impact categories. A comment I often hear is, “it doesn’t look like we’re doing anything.” Thus, it’s important to treat incident summaries as an outcome measurement of preventative controls. Communicating year over year performance is even better.
- Current risk posture: If you have a risk register, some folks like to communicate risk categories on a heatmap. Every category should have a status update for on-going action.
- Risk trends: If you use a heatmap to communicate risk, arrows indicating risk trends can be effective. Again, an explanation needs to explain why and what you’re doing about it.
- Risk posture changes over time: If you have new risks or have recently mitigated key risks, an arrow connecting the past to present risk position works great.
- Initiative performance: Execution is king. A simple gant chart with start/end dates, project status, and % complete helps summarize all the inflight work.
- Team & money allocation: sometimes it’s important to show where the time and money is going. This can be a key message for under resourced teams where people ask, if they’re so busy, what do they actually do?
- Process maturity progress: If you don’t have a mature risk estimation process, communicating actual vs. target maturity can be effective. Many folks also overlay a benchmark maturity value.
- Top metrics: Actual vs. target performance always tells a story. The trick is to make sure the audience cares. Senior leaders may not care about A/V updates or patches but they might care about % of devices managed for security. Rolling up tactical metrics is a great way to get to 5 or 6 that communicate your posture as a whole.
- Budget performance: Financially minded teams may want to communicate actual vs. planned and forecast.
- Compliance: It is what it is. Number of audits, their findings, and mitigation progress is a story to tell.
Recall, each piece of eye candy needs a text area to close the story. I prefer having a two-sided sheet. One side has the fancy pictures, the back page then has tables to answer any questions inspired by the visual.
The old adage that less is more applies here. Every team I’ve worked with wants to put too much in this communication. I believe it’s far more important to tell a couple stories well then many half-baked. If you tell great stories about risk, metrics, and initiative progress, other leaders will reach out if they need to know about budget performance or other areas. The goal is to demonstrate value, not communicate everything you do.
Finally, if your organization really gets into all this communication overhead, consider expanding the annual update into a booklet that provides more offline reading material. Communications like these really do take a lot of time. Be sure to get exec support before embarking on the journey. Also, be aware how your peers will respond. Will they embrace your executive communication, feel threatened by it, or maybe they’ll even follow suit. Plagiarism is the greatest form of flattery. Construct your dashboard well and you might be the next buzzword!
What say you, is this worth it? If so, what stories do you like to tell?