Most security professionals are "people of action." You know, they like to do things. The bad guys are always on the attack, so any time we are not being proactive to protect ourselves, we're losing ground.
Moreover, I am a proponent of running your IT shop like a business -- I call it the Pragmatic Way. If you consider IT, and security, specifically, to be a business function (which you should), then you need business metrics to show trends and your effectiveness.
Security ROI elusive
Before we jump into the specifics of a logical SMB security reporting process, let's discuss return on investment (ROI). Candidly, ROI is the bane of the security professional's existence. The bean counters want to know how a new security device, service or process is going to "add to the top line" or maybe "help with the bottom line." How can a security investment be justified in comparison to buying another sheet metal bending machine to crank out 15% more widgets per day?
It can't. Security isn't something that can be baked into an ROI calculator. Lots of vendors try because they think that's what will help them sell security products to SMBs, but it's a fool's errand. In reality, security is like disability insurance. It seems like a waste of money until you have an unfortunate accident and can't earn. So you can't really quantify a business gain from a security investment -- but you certainly can quantify a loss when a hacker takes down your Web site for two days or, even worse, accesses your database for a few months.
It makes more sense to focus a reporting program on mostly operational functions, helping you to react faster to potential breaches and other security issues. To provide some context, I don't believe you can really anticipate threats or block zero-day attacks. You need to have the information to figure out if something is out of the ordinary because that is your first indication that something is wrong. That's what your reports need to do.
Focus on the operational
I believe most of your reporting focus should be on monitoring your networks, servers and applications and figuring out what your baseline is, in terms of which devices communicate with which servers over which protocols. You need to understand typical application usage models and data access models, as well. You really want to figure out what is "normal" on a daily basis. Get a report that lets you know if your environment is still normal at the end of the day.
Senior management is really concerned with whether it's getting any kind of value out of the money you spend. So you should focus senior management reports on the number and types of attacks and how you've stopped them. A lot of that data will be in your firewall and intrusion detection system/intrusion protection system logs. The point is to convince senior management that if those defenses weren't there, it would be very painful.
Auditors are a different animal. They need to understand the set of controls you have in place and that those controls are operational. So you should pull different audit-centric reports (all leveraging the same data) that show security architecture and security policies deployed on network devices and servers. Then you can show other log-oriented information to make it clear that those policies are in place and enforced.
You also probably want to pull reports about things like antivirus coverage and patches for the auditors. Not that this helps you operationally in any way, shape or form, but it does provide more substantiation that you are enforcing your policies.
The reports that an SMB requires must focus on metrics that are mostly for operational requirements. IT security professionals need to react faster to potential threats, and that starts with having information about what's going on in your environment. Then it's a matter of substantiating the effectiveness of your defenses (for senior management) and the controls you have implemented to meet compliance regulations (for the auditors).
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about The Pragmatic CSO at www.pragmaticcso.com, read Rothman's blog at http://blog.securityincite.com, or reach him via email at firstname.lastname@example.org.