Today, enterprises must grapple with a panoply of numerous and highly sophisticated threats. In response to this dangerous landscape, it is no wonder that businesses are increasingly turning to security dashboards – a powerful communication vehicle for all information security professionals. An effective security dashboard provides personnel, ranging from security analysts to CISOs, with the tools to report on incidents and evaluate security risks. Providers typically offer customers a number of customizable solutions, but this variety begs the question: what features make a security dashboard most effective? We asked industry experts for their tips on what they recommend a powerful dashboard must have.
1. Make It Relevant to the Audience
In your opinion, why is it so important to understand your audience when creating a security dashboard? What are the main differences between potential audiences?
David Miklasevich, Tripwire | @DaveMiklasevich
It is important to create security dashboards because each audience (persona) has different objectives and responsibilities within their enterprise. To illustrate, one of the major responsibilities of a CISO is to ensure that the enterprise is kept secure according to the business objectives outlined by the organization’s security council and board of directors. In other words, the CISO's objective is to protect the organization against reputational and financial damage. CISOs are concerned with:
- Staying informed about the complete visibility of all active threats, as well as the scope and responses when it comes to protecting critical assets;
- Leading efforts to formulate a defensible security practice that helps contain data loss and reputation damage;
- Ensuring industry and community threat intelligence sharing for proactive response; and
- Providing solution integrations and IT Ops collaboration for effectiveness and better ROI.
In contrast to a CISO, a security analyst sets out to harden, investigate and respond to security incidents. Their concerns are:
- Hardening endpoints and reducing the attack surface as a preventive defense against incidents and losses;
- Identifying weak-spots and suspicious changes for proactive remediation;
- Automating monitoring and alerts in an effort to quickly investigate endpoint changes, IoCs, and threat intelligence;
- Having the ability to revert to “safe-config” in the event of a breach;
- Using industry IoC and threat intelligence to research and defend active and potential attacks; and
- Leveraging security and IT Ops integration for faster investigation and response.
2. Sell Success, Not Fear
When developing a security dashboard, why is it so important to sell success rather than fear? How can you effectively demonstrate value by showing impact and improvements?
Scott Crawford, 451 Research | @s_crawford
There’s always enough fear to go around, and as a motivator, your organization is already responding to it. They employ you, after all, to address that fear! But it's more complicated than that. They are employing you because they want to see a positive impact from security investment. You know that the security challenge is asymmetric: while the adversary can focus on a specific target, the defender must make the best use of limited resources to prioritize and remediate the most significant exposures. Dashboards are one way to demonstrate achievement toward these objectives. Professionals should use security dashboards to not only demonstrate to their leadership that they are making progress toward improving metrics such as mean time to remediate high-priority vulnerabilities and exposures, identification of critical assets, and compliance with policy objectives. They should also use them to measure progress toward their goals or to identify where they can win needed support. For example, in the event that they cannot find personnel who come equipped with the skills needed to improve progress, security personnel can use dashboards to demonstrate the impact that well trained individuals could have on finding and resolving issues and threats, as well as to subsequently leverage that insight for training and cultivating available skills. Similarly, if corporate personnel are consistently opening the organization to exposure, security personnel can capture that information and incorporate it into security awareness training that enlists people as part of effective defense.
3. Be Brief and Concise
When creating a security dashboard, why is important to be brief and concise? What must you consider when communicating both security and organizational objectives in an effective manner?
Katherine Brocklehurst, Tripwire | @Kat_Brock
The most important consideration for designing a powerful security dashboard is to know who your audience is and what they want and need to know. To achieve that, you should ask them questions and spend time with them or someone they appoint as liaison in order to understand their needs and refine your methods. It nearly always comes down to simplifying highly complex data into effective, on-point risk visuals. The upper management of most companies is strapped for time, has a low attention span for technical topics, and tends to have an itch for action. These executives nearly always want to know “what does this mean, and why do I care?” Brevity and relevance are therefore best for any technical explanation. Organizational leaders need strong context, and a dashboard needs be vetted with them first to ensure that it communicates alignment between security risk and business goals. As a result, the dashboard should inherently answer the following:
- What risks are important to the business?
- What is the current, accurate security status of the business?
- What trends are evident in security today about which upper management should know?
- How does the compare with others organizations and industry standards?
- Are there predictive qualities that can help us remediate risks?
An effective executive dashboard will, at a glance, tell them something relevant. It should be simple and well labeled, (Don’t call it a CVE or even a vulnerability – call it a risk.) offer a drill-down capability to underlying data or other visualizations, have built-in pull-downs for explanations, and shed insight on trends and industry comparisons. For executives, red and down is bad, whereas good is up and to the right. This comes from their backgrounds in finance. You might thus want to consider asking your internal marketing resources to help you design visuals that simplify your explanations. Start small. Pick one visual and refine from there, adding as it gains traction.
4. Use Compelling Visualizations
In your opinion, why is it important to use compelling visualizations for a security dashboard, and can you give any examples of what you think is most effective?
Thom Langford, Publicis Groupe | @ThomLangford
Forget the data, forget the metrics, and forget the Excel graphs. The single most important thing in building a powerful security dashboard is the presentation of the information itself in a way that creates a visceral response from the audience. The best way of doing this is to get a professional on board, be that someone from your marketing team, the creative department, or even a third party. You need someone with user experience or user interface design skills who can present the information not only in a visually appealing way but also in a manner that makes logical sense and smoothly guides the viewer through the data. This is harder than you may think! The other skill this person should bring to the table is the ability to help you filter through the trash metrics, that is, the ones that are of little value or are there to make your other metrics look good (also known as "vanity metrics”). Ultimately, this is about a clear division of labor. You provide the data, and they present it powerfully for you.
5. Allow Data to Be Drilled
A security dashboard can give you a solid overview, but how important is it have the ability to drill down in to the data? Are there any particular resources you could use to help you do this?
Mandy Huth, Belden | @BeldenInc
Security dashboards are important and can give an “at a glance” picture of the overall health of your ecosystem. I believe that you should be able to have three “views” that you can work within and drill down into (or roll up!) in order to make a dashboard most effective. Talking to the CEO or the Board: How secure are we? Pictures speak volumes, but imagine being able to provide a single number that represents the strength of your security. Your answer: “Last month we scored 58 out of 100. This month, we improved 2 base points to 60. We are trending on average +1.5 points per month over the past quarter and have improved by 18 points since this time last year.” That is a message that executives are accustomed to hearing financially, so it stands to reason they could easily translate it into understanding the condition of the overall security ecosystem. Furthermore, having the ability to break down that single number by location, platform, or criticality to discuss the most significant security initiatives will resonate with them as you discuss the key accomplishments or obstacles that are pertinent to your program. Management: What is our strategy, and where do I focus my limited resources? This is where drilling down from dashboards can help.
As a manager, my strategy includes increasing our CIS compliance through strong server configurations. This will improve security posture by making system intrusion more difficult for bad actors. I want to be able to click on that bottom line, which shows trending month over month and get a list of all of the systems on that line as well as their corresponding scores and specific policies to be updated. I can then estimate how many systems need attention and how many rules/policies need to be considered, information which will help me assign the appropriate resources to accomplish each task. Drilling down here allows me to manage the program timing and estimate what we can accomplish for the year. Sec Ops: What systems do I need to better protect and how? Your manager has outlined that you need to improve security by 15% by reducing your attack surface. You need to focus on removing high impact vulnerabilities from your most critical assets. To accomplish these goals, you could use scans from Tripwire IP360 that includes the Tripwire Enterprise integration. This very helpful dashboard shows:
- The oldest scans (meaning you have dated visibility into any vulnerabilities),
- The most severe/hottest vulnerabilities (usually remotely available, automated exploits),
- Your critical assets that have vulnerabilities on them, and
- “Watch list” vulnerabilities that are seeing lots of activity or are seen as high impact threats in the market.
Each section is expandable and provides you with a list of the assets that are impacted, as well as the exact vulnerability that is impacting that asset and its CVSS (Common Vulnerability Scoring System) score. You now know not only which systems you need to work on but also what you have to address AND, most importantly, how to address it. As the above discussion demonstrates, having various tiers of information with the ability to roll up information and drill down into the details helps you to effectively articulate a security message, create sound strategies with appropriate resource levels, and take action to improve your security protections.
6. Present Trending Information
A security dashboard can comprise many components, but how important is it to present trending information? What value does that add and why?
Matthew Pascucci, Security Architect | @MatthewPascucci
One very important thing about trending metrics, especially within security, is that you can’t manage what you can’t measure. If a security program is attempting to remove risk from the environment, security practitioners need to have tangible evidence that the risks are being resolved. If trending information is not being shown, there’s no true evidence into how your programs have evolved, either for the better or the worse! These trending results can show immediate need within your environment and provide an untainted view into your security posture, but if you’re not measuring these trends and acting on them, you’ll never get to a point where you’re improving security. This allows for a more proactive, instead of reactive, approach to security.
7. Ensure Customizability
As multiple members of staff or even external folks may use a particular security dashboard, how important is it to have the ability to customize your dashboard, and what advice would you give when designing one?
David Monahan, Enterprise Management Associates (EMA) | @SecurityMonahan
A customizable dashboard can differentiate a good solution from an ineffective one. As such, it can propel a solution forward because it creates value on an individual, group and organizational level for several reasons.
- Individuals think differently, and because of that, they associate information differently. By allowing them to customize a dashboard, individuals can create relationships the way they perceive their world. This will help them to make better business decisions.
- Different groups and roles have different data needs. By allowing different groups to customize a dashboard, each can get value out of the tool, thereby greatly increasing its utilization and overall value. This also helps the team that spearheads the tool's development, for if organizations see that they are receiving value, they are more likely to support a dashboard with funding.
- Organizational units and business leaders have always struggled to get the data they need in a timely manner. By virtue of having flexibility through customization, as metrics and needs change, the tool is more likely to be able to adapt, thus maintaining its relevance to the environment without requiring additional investment, as well as facilitating business rather than being an impediment.
Reporting, metrics, and dashboards are key to extracting value today. Many solutions have been cast aside due to an inability to adapt reporting to varied needs and use cases. By making the reporting and dashboard functions flexible, the solution can evolve to the customer's needs with little resources needed from the solution creator, a freedom which is useful for all involved parties.
8. Keep Them Web-Based and Compatible with Smart Devices
Security dashboards are generally for the busy executive and need to be accessed on the go. How important is it to keep them web-based and compatible with smart devices? If possible, could you please provide visual examples of good mobile dashboards?
Tony Martin-Vegue, Gap, Inc. | @tdmv
CISOs, regardless of the size of their company, have an expectation that they will have up-to-the-minute security information so that they can answer surprise questions from colleagues, the Board, and customers. There is no better way to provide this type of information quickly than through a security dashboard optimized for mobile devices. The information should be succinct, easy to access, and custom-tailored for the executive. For example, some managers may prefer a high-level overview of security and compliance efforts, and others may want precise numbers on the number of virus infections, malware blocked, or attempted network intrusions. Either way, the security dashboard needs to be flexible enough to fulfill a variety of needs and optimized for any device.
9. Thoroughly Vet the Information Before It Is Presented
Before you present the data to the rest of the organization, how important is it vet that information? What advice could you offer to ensure mistakes aren’t made?
Andy Rose, National Air Traffic Services (NATS) | @AndyRoseCISO
Business executives tend to be highly skilled at reviewing large amounts of information to rapidly draw conclusions. If they find flaws in the information, it immediately undermines their confidence in the data, the presenter and, ultimately, the proposed conclusion. As such, it is imperative that dashboard data is correct when it is first presented. Nothing will undermine your credibility quicker than incorrect data that the exec spots and you didn’t! That said, it’s not an easy job to do, and I have the scars to prove it. I’ve worked with CEOs and CIOs that have had an almost supernatural ability to ask that one question or spot that one data point. It tends to come with experience, and I now find that I do it to my staff. Start with the basics and work your way through the following questions:
- Do all the figures add up correctly? Does the total come to 100% rather than 99.4%? If not, why not?
- Is all the data there? If you have 15 business units, are all represented? What sources are missing and why?
- Is the data contextually sensible? Think whether all the data points are consistent in terms of scope, timescales and accuracy. Are you adding apples to oranges?
- What story is the data telling? Look for data points that sit on the edges of that tale or tell a different story. Can you explain those inconsistencies? Now look at previous dashboards. What has changed, and what does that suggest?
- What is the action? Information is meant to drive actions, so what are the actions that you propose? Does the data justify that? What will the dashboard look like once you have implemented your proposal?
Finally, remember that anomalies and inconsistencies can be permissible. Just ensure they are annotated and that you can confidently explain them!
10. Benchmark Yourself to Your Peers in the Industry
When creating a dashboard, why is it important to benchmark yourself against your peers in the industry?
Sarah Clarke, Consultant | @S_Clarke22
In terms of benchmarking yourself against peers, why would you not? One can hold an opinion about what constitutes good enough security (even a well researched and externally validated opinion), but unless it's tested against local reality, it remains theoretical. Who can afford to do meaningful tests of multiple options? The only option is to learn from peer experience. Of course your peers may not have it right. It's not a case of copying their point on a generic curve or spider diagram. It’s also not about justifying spending on the same tools they have. (I’ve seen pitches driven this way that sound perilously close to kids demanding the latest unjustifiably expensive trainers because their mates have them.) It is about delving deeply into the maturity a solution represents and comparing it properly to the current state and potential capabilities of your own company. It's also about risk. ‘Good enough’ will vary depending on local exposure, potential impact, and proximity of risks. Within an industry, you have a fair chance of finding businesses with comparable risk profiles, so sharing intelligence can be mutually beneficial. Overall, a dashboard is only as good as the accuracy of the starting point, clarity of the picture, ability to measure progress, and the realism (with existing capability and obtainable investment) of the target. A key part of that is industry context, so yes (in my opinion), peer benchmarks are essential. Title image courtesy of ShutterStock
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.