By Joseph Dalessandro
October is National Cyber Awareness Month, and we’ll be spotlighting cybersecurity content on the blog all month long.
Information security governance is perhaps the most challenging aspect of cybersecurity.
Governance, while not a four-letter word, is often discussed with the same grumble that one uses when speaking about the dentist or aged fish. The basics of governance revolves around the advancement that simple accountability and transparency deters calamity. One cannot predict and avoid all disasters — think volcano here — but at the same time, one cannot grade one’s own homework.
It works well until there is a real test and someone else has the red pen. I think it was the queen of corporate governance, Nell Minow, who said, “watched boards change.” I agree, and would say this observation can be applied all the way down the corporate chain into an organization: those that change are the ones who are watched as objectively as possible.
So what does this have to do with cybersecurity, and why is governance hard in the cybersecurity space? There are a number of reasons for this perception. First, boards have been bamboozled by jargon and an IT executive tier that has been unclear and unsure of what and how to report on security. (For those of you on boards, when was the last time you had a security executive discuss the direct link between spend and the measured reduction of risk?). Indeed, in a Bay Dynamics/Osterman Research survey, “the majority (85%) of board members believe that IT and security executives need to improve the way they report to the board.”
While I am not a fan of standards for standards’ sake, the ISO/IEC 38500:2008 Corporate governance of information technology has the following useful definitions:
- Corporate governance: The system by which organizations are directed and controlled.
- Corporate governance of IT: The system by which the current and future use of IT is directed and controlled. Corporate governance of IT involves evaluating and directing the use of IT to support the organization and monitoring this use to achieve plans. It includes the strategy and policies for using IT within an organization.
- Management: The system of controls and processes required to achieve the strategic objectives set by the organization’s governing body. Management is subject to the policy guidance and monitoring set through corporate governance.
Security leaders should tack these definitions to their wall.
When it comes to how security leaders can set the right direction for the board and make sure the Board has the right information for strategic oversight, I think it is a “two-way street.” Boards need to come to the security business and ask questions and security leaders need to come to the Board with improved reporting. Perhaps an improvement would be an approach that keeps the security report separate and distinct from that of technology. For organizations where information security, or cybersecurity, does not report to IT— bravo! You have taken a step toward greater transparency. The inherent mission of IT is accessibility and availability and the inherent mission of security is possession (control), protection and integrity. These missions are often in conflict, and managing them under the same leader (often a technology leader), could result in a Head of Security who does not have the chance to challenge or push back against the IT Executive who writes their performance assessment and controls their compensation.
We can better coordinate, manage and govern our complete security capabilities by bringing cybersecurity out of IT and taking a more holistic approach to incorporating physical and facility security, fraud and loss mitigation, and the other components converging security capabilities, data collection, management, and ultimately governance.
An organization’s board and business management must be in alignment where spend and the use of emerging technology are converging for the business. Security leaders should consider the following approach to champion governance:
- Above all, be transparent and accountable. Don’t tell the board what they want to hear or what you think they want to hear (they know when they are being managed). Represent the security program objectively. Characterize how security investments support the delivery of value for the business and supports organizational objectives.
- Do the hard work to consistently measure, monitor and report on security risk, and to provide the analysis between security investments and the execution to mitigate or manage risk and reduce or limit potential impact.
- Share performance and achievements of security resources — these drive the execution of a program and they are where the rubber meets the road for execution of the security program. Just like other business function, people are what drive success for a security program.
- Demonstrate how cybersecurity is aligned with and supports the strategic planning and objectives of the business and the expected business outcomes. Often the inherent conflict between the IT mantra of constant access and availability will be in conflict with cybersecurity’s mission of possession, protection and integrity, but the two do not have to be contentious, but IT needs a peer who can hold IT accountable if needed, not a lackey who does what they are told.
Joseph (Joe) Dalessandro is the program chair of the Information Security Leadership program at Brandeis University Graduate Professional Studies, and the Head of Security & Technology Audit and Audit Data Analytics, Australian Unity.
Brandeis GPS offers a Master’s of Science in Information Security Leadership. The part-time, fully online program prepares graduates for leadership roles in information security with a cutting-edge, industry relevant curriculum that builds leadership savvy and skill in leveraging technical know-how. For more information, contact firstname.lastname@example.org, call 781-736-8787 or visit www.brandeis.edu/gps.