One of my GIAC Gold candidates recently finished his project and his report has been published in the SANS Reading Room. The abstract of the paper is:

Executives are increasingly interested in the state of information security for their

organization. The media and press are frequently reporting new methods of technology

attack and how another organization has become a victim. Regulators and auditors

including PCI, GLBA, SOX, HIPAA, etc. are demanding more executive time and

attention. Routinely communicating in a clear and concise manner with the CIO and

CFO is necessary for today's information security leader. Determining what should be

communicated and in what format can be a chal lenge. This paper wi l l provide readers an

approach for creating a Security Scorecard to routinely update the C FO and CIO

regarding information security compl iance, investment, and risk metrics.

The paper is an excellent read and worth your time if you are working in an information security leadership position. In it, the author explores how to determine what to communicate, and provides excellent guidance on how to do it.

For more information, please see the article in the SANS reading room.