What is information security governance and what does IT provide to organizations that perform IT well?

This chapter is from the book 

Before getting into the details of security governance, an overview of principles and desired outcomes provides useful context.

Principles

X.1054 provides concepts and guidance on principles and processes for information security governance, by which organizations evaluate, direct, and monitor the management of information security. X.1054 lays out as a key objective of information security governance the alignment of information security objectives and strategy with overall business objectives and strategy. X.1054 lists six principles for achieving this objective:

• Establish organizationwide information security. Information security, or cybersecurity, concerns should permeate the organization’s structure and functions. Management at all levels should ensure that information security is integrated with information technology (IT) and other activities. Top-level management should ensure that information security serves overall business objectives and should establish responsibility and accountability throughout the organization.

  • information technology (IT)

    Applied computer systems, both hardware and software, and often including networking and telecommunications, usually in the context of a business or other enterprise. IT is often the name of the part of an enterprise that deals with all things electronic.

• Adopt a risk-based approach. Security governance, including allocation of resources and budgets, should be based on the risk appetite of an organization, considering loss of competitive advantage, compliance and liability risks, operational disruptions, reputational harm, and financial loss.

• Set the direction of investment decisions. Information security investments are intended to support organizational objectives. Security governance entails ensuring that information security is integrated with existing organization processes for capital and operational expenditure, for legal and regulatory compliance, and for risk reporting.

• Ensure conformance with internal and external requirements. External requirements include mandatory legislation and regulations, standards leading to certification, and contractual requirements. Internal requirements comprise broader organizational goals and objectives. Independent security audits are the accepted means of determining and monitoring conformance.

• Foster a security-positive environment for all stakeholders. Security governance should be responsive to stakeholder expectations, keeping in mind that various stakeholders can have different values and needs. The governing body should take the lead in promoting a positive information security culture, which includes requiring and supporting security education, training, and awareness programs.

  • stakeholder

    A person, a group, or an organization that has interest or concern in an organization. Stakeholders can affect or can be affected by the organization’s actions, objectives, and policies. Some examples of stakeholders are creditors, directors, employees, government (and its agencies), owners (shareholders), suppliers, unions, and the community from which the business draws its resources.

• Review performance in relation to business outcomes. From a governance perspective, security performance encompasses not just effectiveness and efficiency but also impact on overall business goals and objectives. Governance executives should mandate reviews of a performance measurement program for monitoring, audit, and improvement that links information security performance to business performance.

Adherence to these principles is essential to the success of information security in the long term. How these principles are to be satisfied and who is responsible and accountable depend on the nature of the organization.

Desired Outcomes

The IT Governance Institute defines five basic outcomes of information security governance that lead to successful integration of information security with the organization’s mission [ITGI06]:

• Strategic alignment: The support of strategic organizational objectives requires that information security strategy and policy be aligned with business strategy.

• Risk management: The principal driving force for information security governance is risk management, which involves mitigating risks and reducing or preventing potential impact on information resources.

• Resource management: The resources expended on information security (e.g., personnel time and money) are somewhat open ended and a key goal of information security governance is to align information security budgets with overall enterprise requirements.

• Value delivery: Not only should resources expended on information security be constrained within overall enterprise resource objectives, but also information security investments need to be managed to achieve optimum value.

• Performance measurement: The enterprise needs metric against which to judge information security policy to ensure that organizational objectives are achieved.

It is worthwhile to keep these outcomes in mind throughout the discussion in the remainder of the chapter.

Enterprise risk management is an important area of business operations that requires careful planning and strategising. Any activity that involves the development, assessment, and improvement of risk management, therefore, comes under the umbrella term, security governance. 

As the saying goes, with great power, comes great responsibility. For IT and security teams, security governance is an active responsibility that requires complex coordination across an organisation’s employees, hardware, digital assets and policies. 

The ultimate aim, here, is to maintain effective cybersecurity and prevent the one thing any business dreads - a data breach. This, however, needs to be done by carefully considering your corporate practices, requirements, and culture.

This post takes a look at some of the salient elements of security governance and why it’s as important as it is today.

SECURITY GOVERNANCE POLICIES REGULATE COMPANY CONDUCT 

When it comes to cybersecurity, compliance should be far from optional. With research showing that many incidents are long-term, preventable vulnerabilities, instead of dramatic, Mission Impossible-style attacks, sticking to established security policies and guidelines can go a long way in preventing these from materialising into active threats. 

In the event that a cybersecurity incident does occur, certain procedures should be in place, regardless of whether you delegate incident response and remedial action to external cybersecurity service providers or internal security teams. Regardless of who is responsible, companies need to make sure that employees are briefed and trained on basic remedial measures in the event the unthinkable happens.

Certain companies may even document these processes and procedures to ensure these resources are on-hand for easy reference and future training. 

IT ENSURES THAT YOU HAVE A COMPREHENSIVE AND COORDINATED APPROACH TO CYBERSECURITY

Another reason why security governance is so important for your company is because it ensures that your systems and policies address every threat systematically and consistently.

What we’ve often seen is that companies acquire and install solution after solution targeted at specific attacks, instead of adopting a bird’s eye view of cybersecurity and rolling out a coordinated system that addresses every threat from every angle.

This is one mistake that can severely compromise your defences because you run the risk of seeing what you’re missing - especially if you’ve employed a spate of different software, without a proper strategy.

With effective security governance in place, you coordinate cybersecurity efforts across your entire organisation and ensure that everyone is on the same page in terms of the tools used and which procedures need to be followed.

SECURITY GOVERNANCE ADDS A LAYER OF PRECISION TO BUSINESS OBJECTIVES AND GOALS

Another undeniable benefit of ensuring effective security governance is that it further defines business goals, incorporating cybersecurity to lead to successful outcomes.

This is a value-addition inherent to the process of coming up with a security governance policy, beginning with understanding your organisation’s risk culture, which refers to the risks you face as part of your business activities or those that are common to businesses in your industry and the risks you take as part of your day-to-day activity. 

This helps you develop a well-defined security policy, which guides security operations and activity. 

With security spending increasing across business entities, there is now a great requirement for outcome-based progress reports. This, ultimately, feeds into a company’s strategic vision, helping them grow without the fear of cyber threats and crimes.

PRACTICE EFFECTIVE SECURITY GOVERNANCE FOR IMPROVED CYBERSECURITY ACROSS YOUR ORGANISATION

What we’re trying to convey with this post is that security governance = cybersecurity. Regardless of how sophisticated your software or systems are, if you fail to tie these separate elements together in a way that address existing vulnerabilities and threats, they’re not as effective as you think they are. 

If you’re not sure how to proceed with your own security governance strategies or policies, seek the support of certified cybersecurity professionals who can tie your security goals with the specific nature and operations of your business.

At Triskele Labs, this is one area we specialise in.