Cybersecurity Governance in Distributed Business Models
by Anastasios Arampatzis
With businesses adopting a distributed business model, where data, applications and services are hosted by multiple, dispersed cloud environments, executives and security teams need to make decisions about cybersecurity risk. How can organizations control, direct and communicate their cybersecurity risk management activities? Let’s have a deep dive into cybersecurity governance.
What is cybersecurity governance?
MITRE defines governance as “the set of responsibilities and practices exercised by those responsible for an enterprise (e.g., the board and executive management in a corporation) aiming at providing strategic direction to ensure that objectives are achieved, risks are managed appropriately and verify that the enterprise’s resources are used responsibly.”
Hence, cybersecurity governance “refers to the component of enterprise governance that addresses the enterprise’s dependence on cyberspace in the presence of adversaries.” NCSC determines that “Security governance is the means by which you control and direct your organization’s approach to security. When done well, security governance will effectively coordinate the security activities of your organization. It enables the flow of security information and decisions around your organization.”
While governance includes day-to-day management activities, its perspective is inherently strategic. Just as cybersecurity is the responsibility of everyone within an organization, security decision making can happen at all levels. To achieve this, an organization’s leadership should use security governance to set out the cybersecurity risks they are prepared to accept, and those they are not.
Which way to cybersecurity governance?
Making the organizational move from a divided hierarchy to one in which strategy informs operation (and vice versa) is a difficult challenge. Communication is key to effectively managing expectations, messaging, and security posture throughout the process. However, organizations must understand that there is no ‘one size fits all’ approach to security governance.
The approach you eventually adopt will vary. At one extreme you may choose a formalized security framework, with clearly defined roles and business processes. At the other you may choose a more informal approach to directing, controlling, and making security decisions. Answering the following questions will help you decide how formal your approach should be:
- How large and complex is your organization?
- What resources are available for security governance?
- What does your organization do? How important is security to meeting the organization’s objectives and goals?
- What the considerations shaping operations and security? These considerations may include for example contractual, legal, regulatory or sector specific requirements.
In other words, your approach to cybersecurity governance should identify the security decisions that need to be made, the people who will make them, and the information required to make sensible and informed choices.
What are the outcomes of good cybersecurity governance?
Regardless of the level of formality that you will opt for, good cybersecurity governance should deliver the following outcomes:
- Align security activities with your organization’s goals and priorities.
- Identify the individuals, at all levels, who are responsible for making security decisions and empower them to do so.
- Ensure accountability for all decisions.
- Ensure that feedback is provided to decision-makers on the impact of their choices to create space for improvement.
- Integrate security governance into the organization’s wider approach to governance. Security needs to be considered alongside other business priorities, such as health and safety, or financial governance.
Considerations for implementing security governance
At most companies, boards and senior executives acknowledge the serious threats that cyber-attacks pose to their business. What they are not sure of is how to create a strategy that helps them understand and address the threats, in all their forms, today and in the years ahead. The following considerations can help business executives to make a good cybersecurity governance a reality.
- Build a holistic program to protect your organization that goes beyond technical controls
Remember that more spending does not necessarily lead to better protection. Instead use organizational structure and governance to enhance cybersecurity protections and focus your strongest protections on the most important systems and assets. Use targeted analytics to eliminate threats from the adversaries within the organization and respond to emerging attacks by applying threat intelligence and analytics. Build the processes, architectures, and operating models necessary to protect sensitive data in public cloud platforms and leverage comprehensive dashboards to accurately identify, size, and prioritize cyber threats for further mitigation. Finally, ensure that information technology, cybersecurity, and risk professionals work together to protect the organization from cyber threats and reduce the overall risks to business.
- Engage all stakeholders required to ensure appropriate support and decision-making
The CISO should leverage tangible mechanisms – alignment with business goals, awareness training – to build a framework for fostering cybersecurity discussions within the organization, gain buy-in throughout the company, and improve decision making. This framework will help the board of directors to seek the correct cybersecurity data and ask the right questions. Since organizations do not operate in vacuum, businesses should engage constructively policy makers and governments on building a legislative framework that promotes strong cybersecurity posture.
- Integrate cybersecurity with business strategy to build trust and create value
No matter the sector you are operating, the mindset needs to shift towards a resilience model – attacks will happen, the question is how you will be able to ensure business continuity even under harsh conditions.
Cybersecurity governance the ADACOM way
ADACOM has established its own Governance, Risk management, Compliance (GRC), and Assurance services portfolio based on Information Resilience, which goes beyond the traditional Information & Digital Security models. We have adopted a holistic approach towards protecting all types of sensitive information, in all phases of the information life cycle, regardless the underline business and technology ecosystem, and regardless the business vertical.
ADACOM offers a wide range of cybersecurity governance consulting services which cover:
- CISO Services
- Governance and strategy
- Compliance management
- Risk management
- Maturity assessment
- Third Party Management
- Business Continuity Management
- End user awareness and executive training
- GRC automation
- Vulnerability Assessment & Penetration Testing
- Social Engineering
To discover how we can help you, contact one of our experts.