Steve Durbin is CEO of Information Security Forum. He is a frequent speaker on the council’s role in cybersecurity and technology.
Information security management is the guiding hand that organizes risk mitigation efforts and leads to a business-oriented strategy for the entire organization. Yet governance can be a huge challenge because organizations are dynamic entities operating in a backdrop of constant change with varying levels of cybersecurity maturity and multiple conflicting priorities.
While misdirected governance can expose the organization to multiple risks and weaken overall security, engaged governance can make the organization more resilient to cyberattacks and significantly increase long-term business success.
So how can organizations build engaged governance? That answer lies in the maturity of the information security function and in the competence and skills of security practitioners.
The five levels of security maturity and the resulting effect on governance
Security maturity in organizations can be divided into five levels. Let’s take a look at what these are and what strategies can be followed to better align information security with the organization’s goals and strategy.
1. Ad hoc governance
Startups and small businesses often exhibit a rudimentary form of governance. They share the same characteristics in their security behavior, which is a chaotic mix of activities with no plan to determine whether policies, controls, and actions make the organization more secure.
At this level, the information security function may not exist as a dedicated unit and most individuals will be involved in running and maintaining systems rather than having a planned approach to governance.
It is therefore advisable to keep a log or record of all security activities explaining what is being done and why. It is also prudent to log the skills and abilities of those employed in the security function as this exposes the differences between what the security organization is currently doing, what it needs to do and whether it can do it.
2. Establish basic structures and processes
This level represents a step up from the chaotic and reactionary form of government. There are several reasons why the security function aspires to this level: a company suddenly has to be accountable to regulators; a serious incident triggers a safety culture investigation; a merger involves an assessment of existing governance processes.
At this stage, understanding of security practices is improving, but there is less understanding of how policies, standards, and controls affect how employees conduct their day-to-day activities.
Therefore, it is important that the security function defines its policy set, ensures that the organization meets its compliance and regulatory obligations, and establishes a baseline expectation of good cybersecurity. This includes naming people who “own” making the policy. Create a central policy repository and ensure that proposed policies cover the who, why, what, when, where, and how of security. Assess the impact and effectiveness of policies on existing work practices and establish an evaluation process to refine policies at regular intervals.
3. Go beyond the basics
This marks a subtle but important shift in the view of the information security department. It is no longer trying to improve itself, but is starting to lift its gaze and think about what it is doing in relation to the wider organization, its strategy and the approach it is using to execute that plan.
This level requires better relationships with stakeholders outside of the security team, who will be subject to security rules and regulations.
Exploring the business from this vantage point helps security teams turn guidelines into tangible action. At this level, the security function grows in terms of personnel and responsibilities. This growing responsibility, oversight, and involvement can create a structural change that can decouple security from IT, allowing it more freedom to interact with other departments, while maintaining a link with IT, where it can continue to advise on policies, risks, and governance.
4. Elongate and mature
This level is about expanding the scope of governance in relevance and value. Information security concerns will now be incorporated into planning, project management and manufacturing processes, and “business as usual” will now be in constant contact with security professionals.
This ongoing contact further enriches the practitioners themselves, building knowledge of the larger organization and helping them become more familiar with day-to-day business concerns and the risks that arise from them.
The information security function can now take shape and the employees who had a more executive role will remain with ICT and the employees with policy, assurance and advice will remain with the core. This is a stage where the board function can drive awareness and security behavior across the company, including awareness of risks associated with third-party partners.
5. Achieving embedded and influential governance
This level demonstrates a high level of security management maturity. Rather than being seen as separate from the business strategies it seeks to influence, the security function is now woven into the fabric and direction of the organization. Now aligned with the organization’s overall business direction, governance can:
- Assist in identifying and handling risks on a daily basis;
- Advising on the risk implications of emerging projects;
- Prepare the organization to respond quickly to ongoing risks and threats;
- Demonstrate whether existing controls and procedures are appropriate for the current level of risk, and
- Shape work practices to ensure security behaviors are permeated throughout the organization.
Intimate ties with key regulators can develop. Some mature organizations may even surpass regulatory mandates.
The reward for engaged governance is the satisfaction of seeing a strategy come to fruition, helping the organization manage the risks, and giving it the tools and attitudes to recover quickly from setbacks.
Governance, of course, does not end there. In the next phase, the board will address questions of cybersecurity ethics and sustainability as part of their drive for a more sustainable future.