Governance for Cybersecurity
Governance, any self-respecting IT person will have their eyes glaze over at the mention of governance, but governance will only increase in importance in the coming years. Governance as a word in this context is covering both the standard controls in a governance framework, but I am including risk in my own personal definition of governance. As a cyber security professional, I must advise my customers on governance, compliance issues and regulations as they pertain to the security posture of their organizations. If you are working in companies dealing with medical data, banking or are under PCI DSS regulation, then you will recognize the complexities surrounding IT in order to be compliant with these industry regulations.
Why is it important?
Let’s begin with why governance will become increasingly important. GDPR has been a huge issue for companies and organizations in these past few years, but GDPR is just one of the many regulations that organizations must deal with as part of doing business. Depending on the industry you are part of, there can be even more regulations and compliance issues to deal with and more are being added on a continuing basis by governments around the world. Why? Well, because we can read about new information leaks and hacks, pretty much on a weekly basis, and the amount of these news stories shows no signs of slowing down. They are becoming commonplace, just like stories of corporate misconduct, which I will return to later.
So, the regulatory pressure will continue to increase in the coming years, especially from the various governments around the world. Governments cannot afford to just stand by, while the information on their citizens is being lost or misused by companies. Add to that the plethora of various corporate scandals we have seen in the past few years, and you can see why we are being inundated with new regulations by governments. Also add the various governmental regulations, the updates to already existing compliance and regulations that the various industry bodies are maintaining for the various industry verticals, to keep them up to date with the latest threats. You can see why governance structures in an organization are important and will become increasingly important as time goes by.
What are the options?
Implementing governance in any kind of organization is not something to approach halfheartedly! If you are working within a company that has no culture or history with governance, then you are facing an uphill battle. There is no other way to say it. If, however, you are lucky enough to be part of a company that takes their responsibility seriously, regardless of wether or not they have a culture for governance, then you are lucky! Cherish the company and your position in it. But how to go about beginning an implementation of governance in a company? Regardless of the culture in the company, you will of course have to get a buy-in from management, preferably from the highest echelons of management! Trying to implement governance from the ground up is a losing battle.
When looking into implementing a governance program, one of the first challenges is deciding on which one to go for, because there are plenty of possibilities out there. Depending on which industry you are working in, some of the options are mandatory, but for the rest of us, we will have to look into at least some of the ones below:
- ISO 27001 Information Security management
- ISO 27701 Privacy information management
- ISO 37001 Anti Bribery management systems
- PCI DSS Credit card data protection
- COBIT – Control Objectives for IT
- ISO 31000 Risk management
- …
On top of the list above, we must consider the requirements that our companies have and the industry regulations that apply to us. We cannot just pick a governance framework and implement it as is. We must consider the regulations that apply to us and implement our chosen governance framework to cater to those compliance requirements, as well as the various realities and culture in our companies. Look at the triangle below.
The IT infrastructure is at the bottom, but note that I did not mention IT in the business process layer, or the governance layer of the triangle. That is a conscious choice on my part! There is no company today that I can think of that is not relying on IT systems in some manner. Business processes are being run on IT systems or are being supported by IT systems and governance is applied on top, as a way of controlling the business as a whole. IT is no longer an issue that is being dealt with in the IT department, IT is a business issue. Risks and threats to the IT systems are now risks and threats to the business and must be dealt with at the executive level, with the board well informed of any issues related to IT. Governance is the way to make this happen.
Governance is a business requirement
This section reflects my own personal views on the importance of governance in companies and organizations. I mentioned previously that a governance structure will make it easier for a company to become compliant with new regulations and demonstrate compliance during an audit of the company. But having governance structures in place will also show that the company has made an effort to implement security in their business and protect the data of their customers, making it easier to show to any regulatory bodies, during a breach, that security measure was in place when the breach happened, making a smaller GDPR fine probable in case of lost personal data.
Aside from the various regulations that governance can help a company or organization keep up with and stay in compliance with, I firmly believe that governance will become the tool in the coming years that will provide the public and investors with confidence in a company. I am based in Denmark where we have seen some of the biggest banks embroiled in the biggest money laundering scandals on the planet. None of those banks have shown any inclination of implementing any of the international governance systems in their business, beyond those required by being banks, and are thus hemorrhaging customers by the bucket load to other banks. I myself left one of those banks, precisely because of that. Investors have been selling their stocks in the banks as well, making the value of the banks in the stock market plummet.
I am sure that you have examples from your own country that can substitute the banks in my example. This is the reason for my opinion on the importance of governance in any company, for without it, how are customers to trust a company with their data, or investors to trust a company with their investments? So, governance will only increase in importance in the coming years!
Tom Madsen
Tom Madsen has been active in the cybersecurity industry for more than 20 years. Tom graduated from the University of Aalborg and covered several technical roles in security during his professional career. He is certified as CISSP, CISA, CISM, CGEIT, CRISK, CCSP, CDSPE and CSSLP, and has published the book "The Art of War for Cybersecurity". He is currently writing a book 'Security Architecture - How & Why'.