Metrics can have a very interesting effect. You just have to present them properly.
At issue: You don't know where some dangers lurk unless you look for them.
Action plan: Develop a regular program of metrics, and find an interesting way to present them to the CIO.
I spent the past week deciding which metrics I want to collect and present to the CIO on a quarterly basis, and how I will present them. I'm using Microsoft SharePoint to collect my metrics and will export the results to an Excel spreadsheet so that I can create some interesting pivot tables and charts. The idea is that I simply have to input the data, and the resulting presentation will be automated. I can even incorporate the Excel charts into PowerPoint so that I only have to open the presentation each quarter and the data will be updated automatically. And, if I can pull it off, I can have some of the metrics automatically populate my SharePoint list. Gotta love automation!
To begin with, I'm conducting discovery scans on the entire enterprise to identify the total number of devices (beginning with PCs and servers) connected to the network. I'm using Nessus to conduct these scans, since it's a fairly robust independent tool. The price is reasonable for a one-year license, and it lets us scan our entire address range. I'm also using Altiris, which is a Symantec tool that we use for software distribution and reporting. And finally, there's Symantec AntiVirus Server for reporting on antivirus compliance.
Initial results are alarming. Our company has about 3,000 workers (including contractors). You would think that a discovery scan of desktops would yield about 3,000 unique desktop-class PCs, with workers who are not in the office offset by those who have more than one PC. Our result: 4,200 PCs! Next, I generated a report to see how many of those PCs have the Altiris Agent installed so that we can control the configuration. Only 2,400. This means there are 1,800 PCs whose integrity we can't vouch for. And any unmanaged resource represents risk.
I did the same for servers. I obtained all the IP address spaces for each data center and remote office and conducted discovery scans of all resources that looked like they were running a server operating system. The result: 1,200 servers (including virtual machines). Next, Altiris reported only 800 servers, leaving 400 that we know nothing about. And 30 of those servers are in our DMZ!
Besides reporting the ratio of managed to unmanaged devices, I will be reporting on how many of those devices are in compliance with our patch management policy. We apply Microsoft patches one month after they are released, giving us time to test different environments and applications. I'll also report on the number of resources that are in compliance with our antivirus/spyware policy, meaning they have the most updated software and pattern file.
Sign up for CIO Asia eNewsletters.