Articles
>
SSI dashboards: should we abandon them?

SSI dashboards: should we abandon them?

From design to formatting, not to mention the thorny issue of data collection, SSI dashboards make life difficult for CISOs. A complex environment, difficulties in engaging contributors, unsuitable tools... there are many reasons for the time wasted and frustration generated, to the point that some CISOs are almost tempted to give up. They therefore sometimes turn to predefined, technical dashboards provided by the multitude of technological solutions available on corporate networks.

What if the solution was to continue creating dashboards, but in a different way?

November 3, 2020
Table of Contents
Discover how Tenacy structures your cybersecurity
Schedule a demo

Why SSI dashboards remain essential

Despite the scale of the obstacles encountered in their development and subsequent monitoring, dashboards remain essential. They enable CISOs to see, but also to make visible, cybersecurity in general—and their actions in particular!

Dashboards for managing security

Even today, SSI dashboards remain underused in companies with more than 100 employees. According to a CLUSIF study on IT threats and security practices in France (2020 edition), only 30% of the organizations surveyed (350 in total) have them in place.

But what is the point of implementing a security policy if it is then impossible to determine the organization's level of risk and its compliance with its preferred standard(s)?

The answer is clear: nothing! To protect the company, the CISO has no choice but to use dashboards, as creating customized tools (usually based on Excel) is the only way for them to monitor all actions related to information security and implement a system of continuous improvement.

The dashboard thus plays two roles.

  • On the one hand, it provides information and enables diagnosis. The CISO is thus able to monitor the effective implementation of the security policy at all levels of the organization.
  • On the other hand, it allows you to react and make decisions, i.e., to control the overall security level of the company by taking appropriate action.

Each type of dashboard also meets a specific need, which is why CISOs must adopt three views (apart from monitoring what is happening in real time):

  • the operational view, to detect anomalies and incidents, specify the operational requirements to be implemented;
  • the management view, to enable decision-making, determine the level of compliance, and monitor trends;
  • the strategic view, to report to the Executive Committee on risk coverage and compliance levels and guide its decisions.

Dashboards as communication tools

All CISOs know that cybersecurity issues are still poorly understood and misunderstood, making it difficult to get the right responses from the various stakeholders (operational teams and management).

When well designed, a dashboard can make a real difference, allowing the CISO to position themselves not as a technician, but as an expert whose main mission is to support the business.

In this case, the SSI dashboard becomes a win-win tool, serving both the organization AND the CISO:

  • Top management appreciates being able to quickly understand the security situation within the organization and feels supported in its decision-making.
  • The CISO increases his chances of obtaining approval for the actions he proposes, and the resulting budget.

The same applies to operational staff. Often perceived as an additional constraint, the dashboard can become a tool for visualizing their contribution to maintaining security. The result: data collection that is "better accepted" by employees and more information reported to the CISO.

All of this, of course, is subject to doing away with complex and off-putting SSI dashboards!

How can we rethink SSI dashboards?

Dashboards take time and energy to create, sometimes with little satisfaction in the end: they are not filled in by teams and are consulted (too) infrequently by management. CISOs therefore have every interest in designing their ISS dashboards to focus on the essentials.

The value of limiting indicators

Given the amount of work involved indeveloping and monitoring dashboards, there is no doubt that every CISO would do well to ask themselves two preliminary questions:

  • Should I include everything I would like to share with my management/everything I am able to show in my dashboard?
  • Is the goal to show that I could be an Excel black belt?

In both cases, the answer is no!

Once again, the dashboard is a management and communication tool. As such, it should only display indicators with certain characteristics.

  • Representativeness: there is no point in displaying indicators that are not linked to a risk. It is better to target, starting by identifying a major risk per business line and breaking it down. This approach allows for comparison between the current situation of the information system and the situation that the CISO wishes to achieve and maintain in the long term.
  • Relevance: indicators for which data are not available on a regular and systematic basis should be excluded, so that only known and reliable items are included in the scorecard.
  • Adaptation to recipients: the indicators to be included in an operational dashboard cannot, by their very nature, be similar to those used in a strategic dashboard. There is therefore no need to include the causes of security incidents in a dashboard intended for an executive committee! The information will be of interest to operational staff who are in a position to change their practices, but not to top management, who will not have the solution and are more concerned with strategy.

The importance of customizing your dashboards

Let's face it: Excel isn't sexy. To avoid discouraging recipients of their dashboards, CISOs need to be clever and tailor their presentations to expectations.

In practical terms, a dashboard that is easy for a non-expert to consult is, above all, concise. A strategic SSI dashboard must therefore enable decision-makers to quickly understand where potential problems lie and how much investment is needed to cover the risk.

Of course, form also matters: a good dashboard must also be clear, readable, and even "meaningful." To improve their presentation, CISOs can use two best practices.

  • Visual representations: Risk can be represented in many ways, whether using a simple two-dimensional diagram (e.g., risk impact/frequency) or in radar chart form. This type of presentation has the advantage of highlighting certain findings, thereby supporting the CISO's argument.
  • Color codes: green to indicate compliance, orange to alert to non-compliance without endangering the IS, and red for non-compliance that reveals a risk.

Tenacity to change minds about dashboards

Did you know that there is now a tool designed by CISOs for CISOs that makes it easier, faster, and more comprehensive to create dashboards?

This is one of Tenacy's features and strengths!

Developed as part of an adaptable and collaborative SaaS solution, our cybersecurity management solution enables CISOs to develop and manage their ISS dashboards efficiently, thanks to features that are 100% tailored to their business:

  • Setting indicators specific to their security policy
  • Preconfigured indicators
  • Custom-built, modular, and intuitive construction
  • Dynamic management of perimeters and groupings
  • Collaboration (web, roles and scopes, workflow and reminders)
  • Multiple collections (GUI-XLS-API)

Want to learn more about Tenacy?

Contact us
Other articles

You may be interested in

6 acronyms for cyber compliance
Life as a CISO
ISO 27001, NIS, LPM, NIST CSF, PCI-DSS, NC: compliance in 6 acronyms

The cybersecurity industry, and particularly the field of incident response, is an environment where all kinds of acronyms flourish. It's so easy to get lost. Standards, directives, laws, processes... Let's take a look at the definitions of six acronyms commonly used in compliance that no one should be unaware of.

November 15, 2022
SSI dashboards: should we abandon them? - Tenacy
Life as a CISO
SSI dashboards: should we abandon them?

From design to formatting, not to mention the thorny issue of data collection, SSI dashboards make life difficult for CISOs. A complex environment, difficulties in engaging contributors, unsuitable tools... there are many reasons for the time wasted and frustration generated, to the point that some CISOs are almost tempted to give up. They therefore sometimes turn to predefined, technical dashboards provided by the multitude of technological solutions available on corporate networks.

What if the solution was to continue creating dashboards, but in a different way?

November 3, 2020
The challenges of cyber awareness
Life as a CISO
Cyber awareness: how to rise to the challenge?

While the ANSSI hygiene guide recommends raising user awareness of basic IT security best practices, the reality is enough to make CISOs tremble. According to the CESIN cybersecurity barometer established in January 2020, employees remain difficult to mobilize. 45% of companies believe that their employees do not follow the recommendations! So what solutions are available to CISOs to raise awareness and engage teams?

October 27, 2020