Strategies for Security Governance

In my last post, I gave some reasons why your board of directors and senior management need to be involved in your security efforts. But obtaining and maintaining an acceptable or reasonable security posture requires effective security governance. Let’s look at how you assemble the most effective strategies and techniques to gain and maintain that support.

Drivers for effective security governance

There are many converging drivers that require every organization to have an effective security governance function. These drivers include:

• Growing compliance regulations, including new laws and regulations designed to force improvement in organizational governance, security, controls and transparency.
• Clearly defining information risk parameters and risk assumption frameworks. This means that you need to define and publish risk tolerance parameters and who can assume that risk, along with proper vetting similar to credit reviews done at banks.
• The expanding cyber threat landscape, because threats have increased the need for a governance approach to information management.
• Increasing technological risks. Virtualization, cloud computing, mobile computing, IT consumerism, social networks, data cloud storage and sharing all require effective security governance oversights.

Finally, there is decreasing tolerance for not adhering to “generally accepted security practices.” Going forward, organizations must “nail the basics.” The “good enough” approach to security is not good enough anymore.

Effective security governance fails if it is not integrated into an overarching information security strategy, supported by senior management and the board, and linked with business and IT objectives.

Characteristics of an effective security governance function

Successful or end state security governance functions have the following characteristics:

• Defined risk tolerance parameters for the organization
• Defined risk assumption framework and who can assume risk
• Consensus that security is authoritative at the enterprise level (i.e. remember the weakest link principle)
• Recognition of information security as a regular cost of doing business, not as a discretionary budget item
• Adequate, sustained funding and allocation of security resources
• The level of security supported is based upon need, not upon unilateral business decisions

Governance responsibilities and practices exercised by the board and senior management provide strategic direction, ensure that information security objectives are achieved and ensure risks are managed appropriately.

Strategies and tactics to engage senior management

Board communications should occur at least once a year. You should benchmark your security posture to established security standards bodies (e.g. ISO, COBIT, NIST, ISF) to answer questions about your organization’s security maturity stance.

Progress should be defined on a year-to-year basis, versus a level of due care and versus companies of similar sizes/segments (i.e. peer or industry group benchmarking).

All major risks or gaps reported or disclosed to the board should be submitted with action plans for resolution or at a minimum, with the next steps to resolve gaps. Information security needs to be owned by senior management, with issues vetted before going to the board.

Establish a broad and easily understood measurement for information security risk decisions (i.e. a risk assumption model or framework). Address the risk assumption and risk tolerance issues early with senior management and get your risk assumption framework approved by the board.

When dealing with contested security issues, or when escalating security risk issues to senior management, assume that your audience does not understand information security. Your narrative messages should be short—preferably one page and no longer than two pages. Talk in business risk terms and terminology. Be factual: issues must be dealt with in a straightforward manner. Do not sugar coat or exaggerate issues. Fear, uncertainty or doubt should not be used. Jargon should be explained or not used at all.

Senior management should be updated at least three times a year on the general risk posture of the organization and outstanding high risk security issues that are being monitored.

Ongoing communication tactics

Maintaining ongoing communications is critical to keeping senior management engaged.

Effective communication techniques include:

• Pro-actively circulating current news articles about threats and breaches, and a short statement about your posture.
• Producing and circulating monthly/quarterly reports on vulnerabilities, breaches, and status. Giving heads up to senior management about new security policies or safeguards being deployed. Establish a group of champions from the business to help vet new policies before going to senior management to demonstrate that you have taken into account business concerns before it is presented to senior management.
• Regularly informing senior management on incident response activities including insider activity incidents.
• Issuing annual planning guidance and expectation memos for their individual business unit’s yearly planning.

Heads up – why governance fails

Effective security governance fails if it is not integrated into an overarching information security strategy, supported by senior management and the board, and linked with business and IT objectives. It also fails if it does not align information security activities throughout the organization.

Other activities can negatively impact an effective governance program and erode support:

• When security organizations cry “wolf” or “the sky is falling” too often
• When information security activities are not risk-based and expressed in business terms
• When risk assumption protocols and an organization’s overall risk tolerance parameters have not been followed
• When the information security organization does not gain assurance that the organization is compliant with applicable legislation and regulations
• When an organization’s security posture is not measured against tangible benchmarks, and security initiatives are not measured against objectives and success criteria
• When the board of directors and senior management reporting and discussions lack structure or discipline

Security governance is only successful when it is integrated into an information security strategy and supported by your board of directors.