And finally, I'll report on security events. Why? Because I need to show the direct correlation between security events and lack of compliance in order to drive change. I guarantee that unless you have other compensating controls in place, such as IPS or other activity-blocking infrastructure, incidents rise when resources aren't patched or in compliance with antivirus policy.
My plan is to report to the CIO every quarter on the number of managed and unmanaged devices, and the data related to patches, antivirus and incidents. This will make him aware of the status of the environment (after all, the CIO is ultimately responsible for IT) and hopefully drive change in our risk exposure. Will I be the most popular guy in the room? Probably not. Are these metrics relevant? Absolutely. And until we implement network access control to interrogate each and every device that is attached to our network, we will continue to have issues in this area.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Sign up for CIO Asia eNewsletters.