Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

The Case for Compelling Executive Dashboards
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
12/3/2014 | 1:51:35 PM
Executive Dashboards...
"Communicating complex security issues quickly and clearly to a non-technical audience is a frequent challenge in our jobs."

No, it's impossible and therein lies the problem. Because CEO's and other c-level individuals are so busy (eyes rolling), they want everything to be quick and fast, hence the "Executive Summary". I do understand and do not expect them to understand all of the specifics of Heartbleed, POODLE or why MS14-068 is more important for a Domain Controller than it is for his laptop, but I do expect her\him to expect more than a summarized "Good - Fair - Bad - High - Medium -Low - Red - Yellow - Green" description of serious problems that will\may eventually affect the business, sorry but everything cannot be explained in the time that it takes to ride an elevator.

I believe that C-Level individuals responsible for security or expressing that information to those who are higher up should schedule time with security people so that they can get a (working) understanding of why Drupal announced in October that a Core - SQL Injection vulnerability was so dangerous and that web admins should update NOW and why they (Drupal) came back in November and warned that if your site wasn't patched within a specific period of time... (HOURS) of that initial warning, your site was most likely compromised. How do explain that along with 30 - 40 other issues on a dashboard or an executive summary? You can't, I have a hard enough time trying to get the folks who should understand these problems to understand why these are problems.

Believe me, I do understand the need for brevity but I think dashboards and summaries should be more for that manager who understands what he's reading and knows how to research it and ask questions. Here's a suggestion that I tried before, I suggested a "ride-along", the next time that a Vulnerability assessment or PENTEST is scheduled, invite those c-level people to observe and ask questions, that's powerful stuff.

I guess what I'm really saying is that these folks should be as engaged in the stuff that they don't fully understand as the details of running the rest of the business, we're not trying to make them security experts... just better informed.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
12/4/2014 | 7:55:49 AM
Re: Executive Dashboards...> "ride-alongs"
 I suggested a "ride-along", the next time that a Vulnerability assessment or PENTEST is scheduled, invite those c-level people to observe and ask questions, that's powerful stuff. 

Interesting suggestion @ODA155. Is that something you've done with your top execs or heard about at another company? Please share!
User Rank: Ninja
12/4/2014 | 10:07:21 AM
Re: Executive Dashboards...> "ride-alongs"
Marilyn Cohodas,... sure. I have done this before at another company I worked for and currently trying to get it started with other senior IT and business managers... my boss is working on trying to get a C-Level or two to engage. But it all started back in early days of SOX and mandatory compliance, the company I worked for, we were having discussions around password configurations, because there was never any "real" policy there was plenty of push-back when trying to decide what that policy would be. One morning I was with an auditor and an admin "discussing" how many AD accounts to audit with L0phtCrack 4 (LC4) because we would need to expire those passwords and thus forcing users to change them, L0phtCrack exposes the password and weak passwords get exposed faster than stronger passwords. The CEO just happened by my office and heard us and wanted to see what we were doing. Well we chose 100 accounts, after I clicked the Run command there were almost 100 exposed passwords and what remained were exposed in less than 30 seconds. He was blown away, he even asked me to target all of the C-Level user accounts, the results were the same. We (security) got the password policy that we wanted.

After the SQL Slammer and other Malware events around that time, he got directly involved with discussions around the need\requirements for patch management solutions and better AV tools. When I say "he got involved", he didn't take over discussions but he listened, he did his homework and he asked questions. I think the biggest problem he had to overcome was getting used to the view at ground level as opposed to the "high-level" or 10,000 foot view.

I don't think every security topic lends itself to this type information sharing, you have to choose something that directly affects them, get them coming back and then show them how very expensive tools work. I've used CoreImpact and Metasploit to show developers how bad code gets exploited. Now I'm trying to available time for once a month sessions to review production code with these guys, once you get the momentum you have to keep it going.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
12/4/2014 | 10:19:51 AM
Re: Executive Dashboards...> "ride-alongs"
Great example of bringing "experiential learning" to the C-suite. Be sure to let us know how you make out with your developers. I'm curious to know whether they will be more or less responsive than your C-level bosses. Good luck!

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file