One of my GIAC Gold candidates recently finished his project and his report has been published in the SANS Reading Room. The abstract of the paper is:
Executives are increasingly interested in the state of information security for their
organization. The media and press are frequently reporting new methods of technology
attack and how another organization has become a victim. Regulators and auditors
including PCI, GLBA, SOX, HIPAA, etc. are demanding more executive time and
attention. Routinely communicating in a clear and concise manner with the CIO and
CFO is necessary for today's information security leader. Determining what should be
communicated and in what format can be a chal lenge. This paper wi l l provide readers an
approach for creating a Security Scorecard to routinely update the C FO and CIO
regarding information security compl iance, investment, and risk metrics.
The paper is an excellent read and worth your time if you are working in an information security leadership position. In it, the author explores how to determine what to communicate, and provides excellent guidance on how to do it.