SSI dashboards: should they be abandoned?

Why SSI dashboards remain indispensable

Despite the many obstacles encountered in developing and monitoring them, dashboards remain essential. They enable CISOs not only to see, but also to make visible, cybersecurity in general - and their actions in particular!

Even today, SSI dashboards are not widely deployed in companies with over 100 employees. According to a CLUSIF study on IT threats and security practices in France (2020 edition), only 30% of the organizations surveyed (350 in total) have one.

But what's the point of setting up a security policy if it's impossible to determine the organization's level of risk and its compliance with its preferred politique?

The answer is clear: nothing! To protect the company, the CISO has no choice but to go the " dashboard " route, as the creation of tailor-made tools (generally Excel-based) is the only way for him to monitor all IS-related actions and set up a continuous improvement system.

The dashboard plays two roles.

• On the one hand, it provides information and diagnosis. The CISO is thus in a position to monitor the effective implementation of the security policy, at all levels of the organization.
• On the other hand, it enables you to react, to decide, in other words, to control your company's overall security level by taking appropriate action.

Each type of dashboard also meets a specific need, which is why CISOs need to adopt three views (excluding real-time monitoring):

• the operational view, to detect anomalies and incidents and specify the operational requirements to be implemented ;
• The management view, for decision-making, compliance levels and trend monitoring;
• the strategic view, to report to the Executive Committee on risk coverage and compliance levels, and guide it in its decision-making.

Dashboards as communication tools

As all CISOs know, cybersecurity issues are still poorly known and understood, which makes it difficult to get the right reactions from the various stakeholders (operational teams and management).

A well-designed dashboard can make all the difference, enabling the CISO to position himself not as a technician, but as an expert whose primary mission is to support the business.

In this case, the SSI dash board becomes a win/win tool, serving both the organization AND the CISO:

• top management appreciates a rapid understanding of the organization's safety situation, and feels supported in decision-making;
• the CISO increases his chances of obtaining validation of the actions he proposes, and the resulting budget.

The same applies to operational staff. Very often perceived as an additional constraint, the dashboard can become a tool for visualizing their contribution to maintaining security. The result: data collection that is "better experienced" by employees, and more feedback for the CISO.

Provided, of course, that you've done away with complex and boring SSI dashboards!

How do you rethink SSI dashboards?

Dashboards take time and energy, sometimes for very little satisfaction in the end: they are not completed by the teams, and consulted with (too) little assiduity by management. CISOs therefore have every interest in designing their SSI dashboards in such a way as to get straight to the point.

Faced with the sheer volume of work involved increating and monitoring dashboards, every CISO would do well to ask two questions beforehand:

• Should I include in my dashboard everything I'd like to share with my management/everything I'm capable of showing?
• Is the aim to demonstrate that I could be an Excel black belt?

In both cases, the answer must be no!

Once again, the dashboard is a management and communication tool. As such, it should only present indicators with certain characteristics.

• Representativeness Representativeness: there's no point in displaying indicators that aren't related to a risk. It's better to focus, starting by identifying a major risk by business line, and breaking it down. This approach enables a comparison to be made between the current situation of the information system and that which the CISO wishes to achieve and maintain over time.
• RelevanceIndicators for which data is not regularly and systematically available should be discarded, so that only known and reliable elements are included in the dashboard.
• Adaptation to the target audienceThe indicators to be used for an operational dash board cannot, in essence, be similar to those used in a strategic dashboard. So there's no need to include the causes of security incidents in a table addressed to a COMEX! The information will be of interest to operational staff, who are in a position to change their practices, but not to top management, who will not have the solution and are more concerned with strategy.

Let's face it: Excel isn't sexy. So as not to discourage the recipients of his dashboards, the CISO has to be cunning, by adapting his presentation to expectations.

In concrete terms, a dashboard that is easy for the uninitiated to consult is above all a summary. A strategic SSI dash board should enable decision-makers to understand very quickly where potential problems lie, and what level of investment is required to cover the risk.

Of course, the form also counts: a good dashboard must also be clear, readable and even "talkable". There are two best practices that CISOs can adopt to improve their presentation.

• Visual representations Visual representation: risk can be represented in many ways, from a simple two-dimensional diagram (risk impact/frequency, for example) to a radar display. This type of presentation has the advantage of highlighting certain findings, and thus supporting the CISO's discourse.
• The color codes: green to indicate compliance, orange to warn of non-conformity without endangering the IS, and red for non-conformities that reveal a risk.