Best moments from “Hacking Security Reporting”

By
Andrew Freels
-

Here is a six minute video full of great moments from “Hacking Security Reporting: An hour of critical thinking about producing, reading, responding, and repeating the process of understanding your security posture.”

Watch the full video.

Our guests for this discussion were:

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor, PlexTrac

PlexTrac is a powerful, yet simple, cybersecurity platform that centralizes all security assessments, pentest reports, audit findings, and vulnerabilities. PlexTrac transforms the risk management lifecycle, allowing security professionals to generate better reports faster, aggregate and visualize analytics, and collaborate on remediation in real-time.

Check out PlexTrac.com/CISOSeries to learn why PlexTrac is the perfect platform for CISOs!

Best Bad Idea

Congrats to Brian Colt, information security engineer, DASH Financial Technologies for winning this week’s Best Bad Idea.

Other honorable mentions go to:

“Use baseball signals for security reporting.” – Valarie Apperson, copywriter, SAMSUNG SDS

“Write out your key metrics using homemade invisible ink. Send to the board along with lemon juice and a note ‘I’ll give you the other ingredient if you make the CEO give me my budget for Next Gen Quantum-powered AI XDR.'” – Dutch Schwartz, principal security specialist, AWS

“Create a 47 slide PowerPoint deck and walk the board through every possible framework and report card (NIST CSF, COSO, ITIL, ISO27k, HIPAA, 800-53 MITRE, GDPR, and CCPA). At the end of each slide say, ‘but wait, there’s MORE!'” – Dutch Schwartz, principal security specialist, AWS

“Use automated responses for the first 80% of reports. Chances are some of them will be right! Time saver!” – Valarie Apperson, copywriter, SAMSUNG SDS

10 percent better

“Make sure your reporting metrics contain previous values to show trend and direction for the metric. Example: quarterly board reporting should also show previous quarterly metrics (as percentages).” – Mike Wilkes, CISO, SecurityScorecard

“Find a way to relate what you’re reporting to another departments interest. e.g. how this helps the CFO, the Sales department, or HR.” – Matt Black, director information security, Minted

“Create templates for your reports and stick to them. This will streamline report creation and enable better communication to the board.” – Brian Colt, information security engineer, DASH Financial Technologies

Quotes from the chat room

“I would theorize that sometimes LOB owners are not always the right people to accept/reject risk. It depends on the risks impact.” – Mathew Biby, CISO, Satcom Direct