HomeGuidesMonitoring & Detection › MD-14
MD-14 Monitoring & Detection 6% of OML score

Are monitoring and detection practices discussed at management level when needed?

This question asks: do your company leaders (owner, finance head, operations manager) actually talk about security monitoring and incident detection when there's a problem or concern? Not a one-time meeting, but an ongoing conversation where management understands what you're watching for and why it matters to the business.

Why This Matters to Your Business

When management doesn't discuss security monitoring, budget never gets allocated for detection tools, incidents get hidden instead of reported, and your business bleeds data without knowing it. A real example: a Delhi-based e-commerce firm lost customer payment details for 3 months because the IT person saw suspicious logs but never escalated to the owner—by the time discovered, 50,000 customers were affected, RBI fined them ₹25 lakhs, and customers sued. Without management-level discussion, you also fail compliance audits (DPDP, CERT-In) and lose customer trust if a breach goes public.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You find no evidence of security monitoring being discussed in any management meeting or email. The owner and IT person work in silos, and alerts go unread or are deleted without review.

Level 1
Initial

You find occasional emails or chat messages where the IT person mentions a security issue to the owner, but there's no structured process and no follow-up. Decisions are made ad-hoc and forgotten.

Level 2
Developing

You find quarterly or half-yearly management meetings with a standing agenda item on security and monitoring. Minutes show decisions made and some actions assigned, though execution is patchy.

Level 3
Defined

You find monthly management meetings with documented security monitoring updates, clear ownership for actions, and evidence that decisions are being implemented. Key metrics on detection and response are tracked.

Level 4
Managed

You find fortnightly or weekly security briefings where monitoring data is reviewed, trends are analyzed, and risk decisions are made with documented business justification. Escalation paths are clear and tested.

Level 5
Optimised

You find continuous real-time management dashboards, daily incident reviews at director level, board-level quarterly reports on security posture, and a proven cycle where monitoring insights drive strategic investment and policy changes.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Owner schedules first 30-minute security chat with IT person; IT person prepares a one-page summary of what they monitor and one recent incident or near-miss to discuss. Owner/MD and IT Manager 1 day
1 → 2 Create a one-page 'Security Monitoring Agenda' for quarterly management meetings; IT person prepares a 5-minute update on key metrics (login failures, malware blocked, downtime, customer complaints). Record in meeting minutes. IT Manager and Finance Head 3-5 days
2 → 3 Move to monthly 15-minute security monitoring reviews; create a simple one-sheet template showing alerts, incidents, actions taken, and risks. Assign owners for follow-ups and verify closure in next meeting. Owner/Operations Head and IT Manager 2-3 weeks
3 → 4 Introduce a dashboard (even a simple Excel file updated weekly) showing detection trends, incident response time, and open risks; brief management bi-weekly; tie monitoring insights to budget decisions for tools and staffing. IT Manager and Finance Head 4-6 weeks
4 → 5 Automate alert summaries via email or tool, conduct board/investor-level quarterly security reviews with business impact analysis, and use monitoring data to drive annual cyber risk strategy and investment roadmap. Owner, CTO (if exists), IT Manager, and Board Ongoing, 2-3 hours per month
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Meeting minutes or recorded agenda from management/leadership meetings showing 'Security Monitoring' as a standing item, with attendees, dates, and decisions recorded
  • One-page or dashboard summary (even a simple Excel file) of security monitoring metrics reviewed at management level in the last 90 days
  • Email trail or chat log showing IT person raising a security concern and owner/manager responding with a decision or action
  • Incident or alert log showing that at least one detected event was escalated to management and a decision was documented
  • Written security monitoring checklist or brief document that management has acknowledged, showing what is being monitored and why
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Can you show me the last three management meetings where security monitoring or incidents were discussed? Who attended and what decisions were made?"
  • "When was the last time you detected a security incident or alert? Who was informed, how quickly, and what happened next?"
  • "Does your leadership team review any metrics or dashboard on security detection and monitoring? If yes, how often and what do they do with this data?"
  • "Walk me through a recent example where a monitoring alert led to a management decision—what was the alert, who decided what to do, and how was it resolved?"
  • "If your IT person found malicious activity on your network tomorrow, would the owner/MD know within 1 hour? How does that communication happen?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Log and alert aggregation (collecting alerts from servers, firewalls, antivirus into one place) Graylog (self-hosted, requires basic Linux skill) or ELK Stack (Elasticsearch + Logstash + Kibana) Splunk (₹3–5 lakhs/year for small deployment) or Microsoft Sentinel (₹50,000–2 lakhs/year depending on data volume)
Simple dashboard to show monitoring status and incidents to non-technical managers Google Data Studio or Grafana (dashboarding, pulls data from logs) Datadog (₹1.5–3 lakhs/year) or New Relic (₹1–2 lakhs/year)
Meeting agenda and minutes template with security section built in Google Docs, Microsoft Word template, or Notion; create a simple checklist Confluence (if using Atlassian, ₹30,000–80,000/year) or Asana (₹50,000/year with reporting)
🛡
How This Makes You More Resilient
When management discusses monitoring regularly, breaches are caught within hours instead of months, response is faster and damage is contained, and leadership makes smarter budget choices that actually prevent incidents instead of wasting money on tools nobody uses. You also build a culture where people report problems instead of hiding them, which is the strongest defense against insider threats and data leaks.
⚠️
Common Pitfalls in India
  • Owner assumes IT person is 'handling security' and never asks questions—then a breach happens and owner is surprised. In India, many MSMEs treat IT as an overhead, not a strategic function that needs executive attention.
  • Meetings happen but no follow-up: IT person presents alerts, owner nods, nothing changes, no budget allocated, and same problems repeat quarterly. After 6 months, meetings stop happening because 'nothing ever changes anyway.'
  • Management only gets involved during a crisis (after a breach or audit failure), not proactively. This reactive posture means you're always one step behind and fixes are expensive emergency patches instead of planned improvements.
  • IT person is too technical in their reporting and uses jargon ('SSH brute-force attempts from ASN 12345'); management doesn't understand the risk and deprioritizes it. Translation into business language is skipped.
  • No written record of decisions: verbal discussions happen ('Yeah, buy that security tool') but minutes aren't taken, so when something goes wrong, there's no audit trail and nobody remembers what was actually agreed.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8(1) and 8(2): Data fiduciary must implement security measures and demonstrate reasonable security. Section 6(2): Data processor must notify fiduciary of breaches 'without undue delay'—management-level discussion ensures this happens.
CERT-In 2022 Directions Direction 4: Organisations must establish an incident response plan and communicate incidents to relevant stakeholders and CERT-In. Management discussion ensures incident detection and reporting protocols are understood and followed.
ISO 27001:2022 Clause A.12.4.1 (Event logging) and A.12.4.3 (Protection of log information): monitoring must be logged, protected, and reported. Clause 4.3 (Determining scope) and 5 (Leadership): management involvement in defining and maintaining security scope.
NIST CSF 2.0 Detect (DE) function, specifically DE.AE-1 (Audit and event data available for analysis) and DE.AE-3 (Event detection tools configured). Govern (GV) function: GV.PO-1 (Policies, processes, procedures, and practices are managed to enable organizational objectives for cybersecurity governance).

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →