New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

Safety Dashboards (1/4) – Introduction to Safety Dashboards

October 9, 2011

Safety Dashboards (1/4) – Introduction to Safety Dashboards

This article is the first in a series on safety dashboards.

Difficulties in design and maintenance, or a lack of relevance, often lead to ineffective dashboards. Yet, a dashboard can be central to improving maturity and, in any case, a highly effective management tool. However, this requires a well-thought-out approach to dashboard development, and the dashboard must be specifically designed for its intended purpose. In a series of posts, we will attempt to cover its various components, including its objectives, common pitfalls, and, most importantly, the issue of the Information System maturity level required to implement a good IT security dashboard.

In order to properly understand the upcoming posts, it is necessary to clearly define the objectives that are generally assigned to it. They are essentially of two kinds: management and communication.

Whether it's a compliance dashboard or an activity monitoring dashboard, in both cases it must accurately reflect the situation and provide the information necessary for decision-making or initiating action. If well-designed, it then becomes a central element of management.

The security dashboard can also be an excellent communication tool, both internally and externally. It allows for a clear and concise presentation of several elements reflecting the IT system's status. Internally, its purposes are numerous, such as highlighting the evolution of IT security, justifying security investments to the finance department, or reassuring business units or senior management. It also enables effective external communication, for example, in the context of service delivery, where a dashboard presenting information such as availability levels or compliance with service level agreements provides a suitable summary document for the client or is a key element in responding to a request for proposals.

These two objectives highlight a crucial aspect of information security dashboards: there is no universal dashboard, but rather a multitude of dashboards tailored to specific target audiences and recipients. Therefore, it is essential to align each dashboard with its primary objectives to ensure its effectiveness.

Therefore, a CISO concerned with the perimeter security of some of the isolated equipment in their information system will have little interest in monitoring the inventory of user workstations or compliance with equipment disposal procedures. Conversely, in a company where many employees work with highly sensitive information (defense, research, etc.), they will be deeply concerned with these measures.

Each user must align their dashboard with their objectives; under these conditions, the dashboard will be highly effective. Whether it's verifying compliance with a standard like ISO 27001, the pre-defined IT security policy, or monitoring the vulnerability of a sensitive area, the picture presented will be accurate and the actions taken relevant.

Depending on the CISO's objectives, this tool can be implemented in two main ways: the operational dashboard and the strategic dashboard.

The operational dashboard fosters a strong connection with operations and project management teams. By verifying the proper implementation of measures and monitoring relatively raw metrics, it becomes easier to intervene on specific technical elements and ensure responsive operational management.

Conversely, the strategic dashboard offers a level of abstraction that allows for reasoning in terms of risks and vulnerability levels within given scopes (geographic entity, subsidiary, activity, etc.) and for comparison. This dashboard primarily facilitates communication with senior management, for example, to justify cybersecurity expenditures, but also to strengthen the trust of numerous stakeholders, including customers, partners, and internal users.

Types de tableaux de bord

For security monitoring, the ideal tool for a CISO would be a risk-oriented dashboard. Such an approach would allow the situation to be presented from the perspective of the level of risk to the information system and would enable strategic decision-making.

This type of ideal dashboard requires a high level of IT maturity and very sophisticated process structuring. Clearly, the level of maturity will directly impact the ability to have a high-level tool; we will explore in a future post the links that can be established between the maturity of an IT system and the possibilities for dashboard-based management.

The following article deals with links between dashboards and information security maturity.

Contact