A recent SANS diary entry discussed ways to demonstrate value for an organization’s intrusion detection program and analysts. While the article is very good and provides good examples of how to maintain positive visibility with executive management, the same examples/ideas should be applied to the entire security or IT program.
Here are some reason why. Most organizations, whether commercial or public, see security or IT as a necessary evil and more importantly a cost center. That is to say, that it is a group that does not generate revenue and is something that is needed to maintain regulatory/legal compliance or just something to get the job done. Now this is obviously not the case for organizations where security or IT is their business, such as consultants or vendors like HP, McAfee and Symantec. Nevertheless, it is something that is seen as an after thought or where the sees one tool or subset of tools being all that is needed to accomplish the “task.” While an organization’s security is based on the level of risk acceptance the organization can tolerate; because of budgetary constraints, acceptance of some risks occurs that would otherwise be mitigated. That being stated, the only way to ensure that security is implemented properly and effectively, it must be something that the executives can understand and associated with the success/profitability of the organization.
Here are the six ideas provided in the SANS post generalized for the overall programs:
- Have a one page newsletter highlighting your group and its accomplishments as well as what its working on. (Does management know that you had a block put in place for a significant threat until a patch was issued which means your network did not suffer any impact?)
- Highlight each team member and their success by having a “Catch of the Week/month” writeup and include their photo.
- Keep them informed of current and emerging threats or trends (in easy to understand non-technical terms) Alot of times they have no idea such a threat or technology was possible or exists.
- Provide them metrics of the number of alerts/tickets that occur during each shift and approximately how long it takes to look at them. This being tracked by the number of team members on a shift will show the residual, if any, of what did not get looked at in a timely fashion. Management needs to understand the risk and agree that they are willing to accept the risk.
- How many many blocks (firewall, email, web, etc.) were put in place to protect the network? How many network/system performance tuning/improvements were implemented? That shows management a proactive stance.
- Keep management informed of the costs being incurred by other companies who have to clean up after being compromised. Do not imply that it won’t happen on your network. It will, its just a matter of time. But the cost is much less if early detection occurs. Skilled analysts to key to early detection.
Ultimately, the security and IT programs need to show executive management that they are more than IT plumbers and that what they do is important and helps save money on the bottom line. This will help change the perception “that we have to do it because we are told to” to one of “we have to because it is vital to our business success.”