Compliance with regulations is part of doing business and probably merely seen as a way to avoid the legal, financial, or reputational damage that might result from non-compliance. While poor compliance might signal bigger problems, including poor governance; good compliance does certainly not mean guaranteed security. In reality, it depends on the regulation requirements, and the interpretation and coverage might vary greatly. In general, however, regulations can be inflexible and might even draw attention away from more important security matters. It should be seen rather as a starting point, not as a goal. Personally, I was always a bit conflicted about the importance of anything else than good technical skills to secure your environment. The fact of the matter is, getting breached can almost always be linked to the lack of effective processes and enterprise policies that support and reinforce cybersecurity, which compliance is part of (but not only). And this is where governance comes to play.
I’ve seen different definitions of governance in cybersecurity, but here is how I see it; governance is a set of processes and policies which inform the way you do and measure security, with a clear distribution of responsibilities. So good governance in cybersecurity is about finding a core set of security principles and best practices that fit well and are appropriate for your organization, then build both a reporting and accountability structure and a cybersecurity culture that are able to translate your strategic planning and policies into day-to-day operations that can keep your environment secure.
An important distinction here is that governance is not about making specific IT or security decisions, that’s the role of management. A strong cybersecurity governance program, however, will allow for effective management processes, and ideally, those will in turn feedback into the overall governance framework and strategic planning. Good governance will most likely lead to good compliance and support effective cyber risk management. Here are the most important attributes of a strong governance program:
- Leaders supporting and setting the tone for the organization’s cybersecurity efforts,
- Clear roles and responsibilities, with oversight from board members and C-level executives,
- Cybersecurity as organizational culture, promoting transparency, accountability, and well-defined formal communication channels,
- Clear processes and policies, as well as guidance on implementation and maintenance,
- Clear categories of measurement and evaluation metrics, and
- A strong security training and talent management framework.
Once a proper governance structure, entities/ committees, and their responsibilities are defined, the rest can be achieved via information security frameworks, which are essentially a collection of plans that include guidelines and recommendations, policies, procedures, and processes for managing risk, and supporting cybersecurity objectives as outlined in the governance program. There are a number of frameworks addressing those key aspects that can be both generic or industry-specific, including:
- The NIST Cybersecurity Framework and 800 series: developed by the National Institute of Standards and Technology in the US (for the federal government, but anyone can choose to adopt NIST’s publications). It has a wide coverage of cybersecurity processes, standards, guidelines, and best practices. Some of the publications that I find particularly interesting are NIST 800-53 (for security and privacy controls) and NIST 800-161 (for supply chain risk management).
- ISO 27000 series: developed by the International Standards Organization, it is another family of information security standards and best practices. For instance, ISO 27002 can be compared to NIST 800-53, but is seen as less complex and easier implement, or ISO 27001 to the NIST Cybersecurity Framework, and is seen as less technical and more risk-focused.
There are a number of other frameworks and standards, including CIS Controls or Secure Controls Framework, with obviously some overlaps in all of that, but different levels of details and coverage. In general, either NIST CSF or ISO 27001 seem to be selected as a starting point, and from there get into the details with additional standards and publications to build up a more robust coverage, e.g., more specifics on controls with NIST 800-53 or ISO 27002.
The point here is that once the governance drive is there, these frameworks will definitely help in building a structured approach and mature and straighten your cybersecurity posture. Obviously, nothing is comprehensive out of the box, and a lot of learning and manual work is necessary to get to the point where a good understanding of what your organization needs and what you consider as reasonable expectations for the security of your environment. Personally, I now believe a lot more in the power of good governance and frameworks than I did a decade ago, and I also believe we cannot get better and do good security and cyber risk management without them.