RMIT Classification: Trusted

Introduction to Cybersecurity Governance

Lecture 11: Security Reporting and Oversight

31/08/23
 RMIT Classification: Trusted

Session Objectives
After reading completing the week contents, you should be able to :
 Explain the importance of security reporting 
 Apply reporting mechanisms

31/08/23
 RMIT Classification: Trusted

Reporting and Oversight

 Provides key indicators for good governance to assess:
 adequacy of security
 the quality of security program management
 costs or return on security investment (ROSI)
  progress toward objectives.
 The reporting method must be adapted to present security activities in business
terms such as
 risk reduction
 return on investment (ROSI)
 contribution to business development, etc.
 It is essential to find a standard way to present security figures that will enable
management to follow the security program and decide on investments.

31/08/23
 RMIT Classification: Trusted

Importance of Reporting for Governance

 The ultimate responsibility for security lies with the board of directors.
 That is why they require reports containing stable indicators presenting the
state of security at a given time.
 The purpose of reporting and oversight is to provide governing bodies with all
the relevant information they need to judge the state of security at a particular
point in time, and to provide guidance.
 The information produced as part of reporting and oversight activities is
sometimes called strategic indicators .
 All this information does not have to be provided in one document.
 These resources can be used by the CISO or management to communicate the
state of security to all the stakeholders: board of directors, management,
employees, customers, business units, correspondents, and auditors
31/08/23
 RMIT Classification: Trusted

Importance of Reporting for Governance

 Public statistics or surveys provide few answers about the need to invest in security,
because risks cannot be assessed outside the company context.
 Inaccurate financial justification undermines the credibility of security and weakens
the relationship between security teams and the company’s business lines.
 Therefore, reports should contain indicators along with universally accepted units of
measurement such as cost, incident, risk, budget, strategy, annual targets, etc.
 The need for reporting is also heightened by the fact that security officers
increasingly report at a higher level in the company and often outside of IT
 It is essential that they know how to explain to management the strategy and
rationale for security investments, if possible in a business language and with a
holistic perspective.
 They report not only on costs/benefits but also on longer-term strategic axes of
development by articulating the benefits for the organization.
31/08/23
 RMIT Classification: Trusted

Importance of Reporting for Governance

 Senior managers are accustomed to analyzing the company’s high-level indicators—
losses, earnings, ratios, economic events, sales targets, and so on— to make
forecasts or understand a given situation.
 Security is part of the infrastructure or support, so they are more interested in
reporting or feedback on the overall effectiveness of the countermeasures in place.
 They seek to understand the evolution of costs.
 They are less interested in operational metrics or ROSI calculations for an isolated
process or component.
 Since their concerns are increased revenues, reduced costs, improved products or
services, and cost control, security reports will only be taken into consideration if
they adopt the same approach and the same language: strategic and functional
alignments, achieving performance objectives, improving or controlling compliance,
team performance, innovations, and added value for customers.
31/08/23
 RMIT Classification: Trusted

Components of a Security Reporting System

 Strategic indicators are high-level indicators or aggregations of indicators or
operational metrics that are used to report on the state of security or to
manage the security program. 
 These indicators present the security of information to governing bodies from
different perspectives. 
 Answering the question “How secure are we?” is not easy.
 This is why it will be answered indirectly through more specific questions whose
answers provide strategic indicators or reporting elements about the state of
security.
 Reporting elements or strategic indicators are dependent on each other. For
example, the security program is directly dependent on the strategy, risks,
posture, and compliance

31/08/23
 RMIT Classification: Trusted

Specific questions for strategic indicators

 Strategy § Compliance and audit 
 How does IS contribute to achieving company § What are our compliance gaps? 
strategy? § What are we doing to fix them? What is the status of fixing
audit findings? 
 How are strategic initiatives progressing? 
 Program 
 Risks  What are the basic principles of the security program?
 What are our main risks, and how do they   What is the status of projects in the program plan?
evolve?
 Governance 
 How is the risk mitigation program progressing
 How is our governance, and what improvements
 Posture are needed? 
 What is our security posture, and what are our  Security costs
protective capabilities?  What comprises our security costs? 
 What processes/controls need to be improved  How do they evolve? 
and why?
 Security objectives
 What were our objectives, and did we meet them?
 What are the objectives for the next period?

31/08/23
 RMIT Classification: Trusted

Components of a Security Reporting System

 There is a very strong dependence between reporting needs and the
establishment of operational metrics.
 In fact, it is the need to report or oversee that will define the indicators needed.
 security reporting and oversight can concern company security as a whole or
only one domain, geographical unit, or business line.
 Reporting elements or strategic indicators are dependent on each other.
 For example, the security program is directly dependent on the strategy, risks,
posture, and compliance
 The purpose of every reporting and oversight process is to set objectives for the
security system. These objectives include improving not only the security
program and controls but also financial and governance objectives.
31/08/23
 RMIT Classification: Trusted

Reporting system components and associated metrics

31/08/23
 RMIT Classification: Trusted

Strategy Report
 The security strategy and the initiatives that comprise it should be reviewed
every year.
 Strategic initiatives are also part of the “Plan” roadmap of the security program
as defined.
 Taking stock of the progress of initiatives in the reporting framework is
important, because it can influence the priorities that the governing body
wants to establish.
 When the report is being presented, questions regarding the reasons for
potential delay or lack of resources or even a change in strategic direction might
arise.
 This is why the CISO should have readily available arguments explaining project
progress during the previous period.
 This same type of reporting will be used as part of the security program review
process, especially in the “Monitor” activity.
31/08/23
 RMIT Classification: Trusted

Strategy: examples of key indicators on the progress of strategic

initiatives 

31/08/23
 RMIT Classification: Trusted

Risks report 
 the risk management process includes reporting to bodies responsible for risk
treatment planning. 
 The report includes a mapping of all the risks with their attributes, a heat-map,
a table of factors influencing risks, and comments on the main events, trends,
and changes since the last revision. 
 Reporting for oversight or program adaptation purposes can be made with a
simplified presentation of the state of risks. 
 In this case,  a heatmap with trends or evolutions of the risks and a matrix of
high risks containing an action plan and the state of progress can be used 
 This presentation highlights the most important risks, their treatment plan, and
their trend.
  A comment may accompany this, especially if it is relevant to understanding
why a high risk has a “negative” trend.
31/08/23
 RMIT Classification: Trusted

Heat-map and matrix presenting the

evolution of high risks

31/08/23
 RMIT Classification: Trusted

Posture report
 The report on security posture is intended to draw decision-makers’ attention
to weak points in the protection capacities in place. 
 Posture can be evaluated in different ways: for example,
 By using a maturity model
 Through a benchmarking study comparing the effectiveness of controls in similar
companies
 By mandating an external audit
 To present the posture and be able to reevaluate it in a repetitive way, it is
preferable to use a maturity model
 The choice of the model depends on the desired level of abstraction or
focus when reporting to governing bodies.
 A catalog of controls may already contain an assessment of current and desired
maturity. 
31/08/23
 RMIT Classification: Trusted

Presentation of a maturity model bases on NIST Cybersecurity

Framework (CSF)

31/08/23
 RMIT Classification: Trusted

Posture
 Regardless of the model chosen to present the security posture, it should be
accompanied by supporting documents to better understand any differences in
current and desired maturity.
 Thus, the compliance maturity gap in the preceding example may be due to a
new regulation in a geographical area where the company is present.
 Benchmarking results can influence maturity ratings.
 If we look at the previous cybersecurity example, a benchmarking study could
indicate that the level of maturity is lower than that of the competition, which
could potentially affect the company’s competitiveness.
 Therefore, the desired level of maturity must be aligned with that of the
competition.

31/08/23
 RMIT Classification: Trusted

Compliance and Audit report 

 Compliance gap analyses have established
priorities among the projects to fix audit
findings.
 These projects are included in program
planning, and they are mandatory.
 Reviewing these projects or priorities should
not be part of reporting and oversight, since
it is the responsibility of other forums or
committees.
 What is needed for governance reporting is
the progress made in fixing these findings or
possible delays.  Graphs summarizing a trend should always be
accompanied by comments or explanations.
 For example, high-level indicators that could
 E.g., the delay in fixing audit findings may indicate a
be presented here include the evolution of
lack of resources, a prioritization conflict, or some other
the number of unfixed findings or delayed
issue that governance should address when setting
remedies compared with the number of new
objectives.
audit findings.
31/08/23
 RMIT Classification: Trusted

Program report 
 a security program is composed of a set of operational controls and an
improvement plan with a roadmap of projects. 
 These projects mobilize resources, and their objectives must be justified
(explained). 
 Through its program, security achieves the following objectives: 
 the deployment of strategic initiatives
 risk mitigation, improvement of the posture (capacity) of the protection system
 reinforcement of compliance
  the implementation of corrective measures requested by audits. 
 As a result, the four previous elements of the report, supplemented by
indicators on the effectiveness of controls and the status of ongoing projects,
will make it possible to present the project portfolio along with project status.

31/08/23
 RMIT Classification: Trusted

Example of presenting the origins of security program projects

31/08/23
 RMIT Classification: Trusted

Governance Report 
 Report focuses on strengthes and weaknesses of governance as a means of maturity
assessment, communication and coordination for continuous improvement 

Example of governance
self-assessment key
findings

31/08/23
 RMIT Classification: Trusted

Security Costs report

 Cost accounting principles in controlling security expenditures were presented.
 If the company has accepted cost distribution criteria, it can then present security
expenses under different aspects.
 Data concerning security expenditures, possibly combined with other indicators such
as
 turnover trends or number of employees, will enable the board of directors or governing body to
better analyze the impact of security costs and propose adjustments.
 Reporting on overall security costs may include the following strategic indicators:
 Breakdown of costs by category 
  Evolution of the costs of each category
 Evolution of costs compared with other indicators, such as evolution of turnover, number of
employees, overall budget, etc.
 Breakdown of expenses among other business or geographic units
 Distribution of expenses by service provided (IS, business continuity, security operations, physical
security, identity and access management [IAM], etc.)
31/08/23
 RMIT Classification: Trusted

Breakdown of costs by category

 Direct security costs are generated by the
activities of the security teams.
 Indirect costs are costs attributed to security
but not generated directly by security team
activities.
 These costs are often underestimated or
neglected in companies precisely because
of the absence of accounting methods to
highlight them.
 It often happens that 100 percent of the
indirect costs are out of the CISO’s control,
because they are generated by other units
and attributed to security.
31/08/23
 RMIT Classification: Trusted

Evolution of costs over several periods

 Monitoring security cost trends makes it
easier to analyze them and correlate them
with other business costs.
 An explanation should be provided for each
significant variation.
 The example shows an increase in
depreciation due probably to the
implementation of an important security
infrastructure.
Evolution of direct cots 

31/08/23
 RMIT Classification: Trusted

Evolution of security costs compared with

other indicators
 It is often very instructive to compare the
progression of security costs with that of
other categories of financial costs.
 For example, the figure shows the relative
progress of the security budget compared
with the IT budget.

Security versus IT budget

progression

31/08/23
 RMIT Classification: Trusted

Reallocations of security costs to other business units

 A cost allocation key can be applied to reallocate
security costs to other business units.
 Various cost drivers exist to establish these
reallocation keys: for example, the number of
employees or number of workstations, possibly
weighted by the criterion of security service
“consumption level,” etc.
 If the HR and General Services departments have the
same number of employees, the security services cost
allocation keys might not be the same for both
entities.
 Since HR is a greater “consumer” of security services
(data protection, encryption, support, etc.), its Security reallocation cost key to internal
consumption could be accounted using a higher service consumers
weighting coefficient.
31/08/23
 RMIT Classification: Trusted

Cost allocation by service

 Security costs can also be allocated by services provided, such as support for
business initiatives, infrastructure security, IAM, business continuity, support, etc. 
 By subdividing all the security services into functional areas and offering the same
basic KPIs for the management of cost allocations, it is possible to know the cost
of each security service. 
 This can be interesting in the case of outsourcing certain services (e.g. security as
a service [SecaaS], access management, etc.).
 The presentation of security costs is quite relevant even if they cannot always be
linked to the “benefits.”
 The notion of added value is extremely important, but as noted earlier, this value
is perceived through risk treatments and support for strategic initiatives.
 Management knows what security brings but does not always know what is
included in its costs. Such a cost accounting can bring relevant answers. 
31/08/23
 RMIT Classification: Trusted

Security Objectives Report

Example of a balanced scorecard for IS

 One of the main tools for revising

and setting new objectives is the
IS balanced scorecard (BSC)
 Its use in the context of oversight
is particularly recommended due
to the strategic and holistic aspect
of the objectives
 Objectives and metrics to measure
progress will be established at the
end of the reporting session and
will serve as a guide for
adaptations in all areas of IS
management.

31/08/23
 RMIT Classification: Trusted

Dashboard 
 Dashboard is primarily a realtime monitoring tool for certain events or metrics. 
 A dashboard is often consulted to track operational events, while a report is prepared for
review purposes at defined frequencies.
 A security dashboard can be made up of various indicators, facilitating the monitoring of the
security system.
 Project progress 
 Evolution of incidents
 Follow-up of breaches of internal regulations
 Statistics or indicators on access rights
 Distribution of workloads by IS service (operations, projects, investigations, studies, etc.)
 Internal or external events or incidents that may impact risk assessment
 Number of investigations or forensic analyses
 Follow-up awareness sessions
 Follow-up of security control tests according to a pre-established plan
 Trends in threat monitoring

 A dashboard is an aggregation of the indicators, generally on one or two pages, intended

for the CISO or committees in charge of supervising the security program.
31/08/23
 RMIT Classification: Trusted

Examples of security dashboard

31/08/23