ABSTRACT

The bane of typical security reporting is that it provides a list of meaningless numbers to management, such as number of SPAM e-mails stopped, number of intrusions detected at the firewalls, number of viruses quarantined at the mail gateway, and so on, without making these numbers relevant to the business. The most important aspect of pragmatic security reporting is to translate security metrics into business terms. To do this, you must understand what is important to your company. If your executive management is focusing on operational efficiencies, then you want to relate significant portions of your security reporting to the appropriate allocation of budget and resources. If they are focusing on productivity, then you want to emphasize the number of security requests that your department

has processed or the successful risk mitigation initiatives that you have accomplished.