Manage Learn to apply best practices and optimize your operations.

SMB security reporting: The devil is in the details

Though not the most exciting part of your job, security reporting is critical for SMBs. Both management and auditors need to be satisfied, so you better know what you're looking for.

Most security professionals are "people of action." You know, they like to do things. The bad guys are always on the attack, so any time we are not being proactive to protect ourselves, we're losing ground.

More on security and SMBs
IT audits: Five fearless strategies for survival

New security tools best left to big companies, not SMBs
Security reporting is a critical part of the job for IT professionals at small and medium-sized businesses (SMBs). That's because IT pros spend money, and folks like chief financial officers and company owners want to know what they're doing with it. Go figure. So documenting what you accomplish, the kinds of attacks you stop and the impact all of this has on the organization is pretty important.

Moreover, I am a proponent of running your IT shop like a business -- I call it the Pragmatic Way. If you consider IT, and security, specifically, to be a business function (which you should), then you need business metrics to show trends and your effectiveness.

Security ROI elusive

Before we jump into the specifics of a logical SMB security reporting process, let's discuss return on investment (ROI). Candidly, ROI is the bane of the security professional's existence. The bean counters want to know how a new security device, service or process is going to "add to the top line" or maybe "help with the bottom line." How can a security investment be justified in comparison to buying another sheet metal bending machine to crank out 15% more widgets per day?

It can't. Security isn't something that can be baked into an ROI calculator. Lots of vendors try because they think that's what will help them sell security products to SMBs, but it's a fool's errand. In reality, security is like disability insurance. It seems like a waste of money until you have an unfortunate accident and can't earn. So you can't really quantify a business gain from a security investment -- but you certainly can quantify a loss when a hacker takes down your Web site for two days or, even worse, accesses your database for a few months.

It makes more sense to focus a reporting program on mostly operational functions, helping you to react faster to potential breaches and other security issues. To provide some context, I don't believe you can really anticipate threats or block zero-day attacks. You need to have the information to figure out if something is out of the ordinary because that is your first indication that something is wrong. That's what your reports need to do.

Focus on the operational

I believe most of your reporting focus should be on monitoring your networks, servers and applications and figuring out what your baseline is, in terms of which devices communicate with which servers over which protocols. You need to understand typical application usage models and data access models, as well. You really want to figure out what is "normal" on a daily basis. Get a report that lets you know if your environment is still normal at the end of the day.

IT security professionals need to react faster to potential threats, and that starts with having information about what's going on
in your environment.

Those reports are going to be the lifeblood of your existence as the security practitioner. But how do you make those operational metrics useful to senior management and the auditors? There are two answers.

Senior management is really concerned with whether it's getting any kind of value out of the money you spend. So you should focus senior management reports on the number and types of attacks and how you've stopped them. A lot of that data will be in your firewall and intrusion detection system/intrusion protection system logs. The point is to convince senior management that if those defenses weren't there, it would be very painful.

Auditors are a different animal. They need to understand the set of controls you have in place and that those controls are operational. So you should pull different audit-centric reports (all leveraging the same data) that show security architecture and security policies deployed on network devices and servers. Then you can show other log-oriented information to make it clear that those policies are in place and enforced.

You also probably want to pull reports about things like antivirus coverage and patches for the auditors. Not that this helps you operationally in any way, shape or form, but it does provide more substantiation that you are enforcing your policies.

The reports that an SMB requires must focus on metrics that are mostly for operational requirements. IT security professionals need to react faster to potential threats, and that starts with having information about what's going on in your environment. Then it's a matter of substantiating the effectiveness of your defenses (for senior management) and the controls you have implemented to meet compliance regulations (for the auditors).

Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about The Pragmatic CSO at, read Rothman's blog at, or reach him via email at

Dig Deeper on Small-business infrastructure and operations

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.