At Havoc Shield, infosec dashboard best practices come up early and often in our conversations with technology leaders. Often it's a lack of robust infosec dashboards that is the wake-up call that leads a CIO, CTO, or CISO to engage our team to get to a better place. In our review of prior infosec dashboards held by clients as they transition into the Havoc Shield platform, we've seen it all, the good, the bad, and the ugly.
From that breadth of experience -- and from our learnings as we built our own platform's dashboard capabilities with extensive client input -- we offer the following trends as best practices for 2020.
This is item #1 for a reason. It's not a coincidence. We see it as vital that your dashboard quantifies the extent to which your organization is engaging in infosec policies in the way that you have asked them to. For example, when you roll out a new Acceptable Use Policy and request that all employees review and acknowledge it. Or, when your quarterly cybersecurity training arrives and you need a sense for how rapidly your team is clicking through to participate. Whatever initiatives you have underway, cybersecurity policies don't do much good unless the team is engaged; so, we say that Engagement Metrics are "tops" when it comes to what you want to be sure to include in an infosec dashboard.
Ever try to explain what a reflective cross-site scripting vulnerability is, to a board of directors? Eyes may glaze over faster than you can suggest a coffee break. And candidly, that's fair. When trying to illustrate the status of your company's cybersecurity posture to broad groups that include non-technical members, it's important to abstract your performance into metric that serves as a "headline" for those that aren't inclined to dig further. In Havoc Shield, for example, we present a "Shield Score" that is a Red/Yellow/Green system. Yes, there are numbers behind it. Yes, there is an audit trail of what caused increases/decreases. Yes, there are incredibly detailed backing reports that justify how we arrived at the score. But, we start with the Shield Score, and we suspect your non-technical and board of directors audiences will appreciate that -- as a discussion-starter that helps shape whether a deeper-dive discussion is necessary.
Lets get real. You don't have zero threats at this point, or at any point past or future. There's always something. A plug-in on your CMS that has fallen out-of-date. An ill-configured cookie. A subdomain with an expired SSL cert. A mixed-use content warning. Something.
A great infosec dashboard should give you a sense for the top threats (and associated mitigating tasks) that are presently the most important priority. The infosec dashboard isn't the place for the dozens of possible infosec improvements under consideration, but it is the place for some indicator, metric, or summary of the very next one (or few) threats that need to be addressed. Preferably, with some way to navigate to the tasks that will soon be underway to mitigate those threats.
Even though not all viewers of your infosec dashboard will thirst for the next-level details about each summary item, it's crucial to provide a path to doing so, for those that are interested. There is some interplay here with our discussion around employee engagement: you want to stoke the flames of any interest in cybersecurity that your team expresses. Give them an outlet to learn more, engage more, and become your ally in companywide infosec matters. You'll be glad you did.
We've got opinions about infosec dashboards -- we'll be the first to admit it. We're passionate about helping our clients not only manage their cybersecurity programs, but also communicate the impact of those programs on their broader teams. To that end, here's an example of the simplest of infosec dashboards that we start our new clients out on. You'll see that (no coincidence) it includes coverage of the four best practices described earlier in this article.
Interested in accelerating your company's infosec dashboard efforts? We're here to help, and the dashboards we suggest you start with are available on a turnkey basis. Feel free to get started here, and let us know if you need a hand!