This is part one of a three-part series about developing a cybersecurity governance lifecycle that:
- Provides coverage while being balanced;
- Effectively meets expectations and creates efficiency;
- Assures all stakeholders they are protected.
This series explores the cybersecurity governance lifecycle in the context of enterprise governance and strategy to help reduce the confusion that can occur between governance functions within an organization. The next post in this series explores the roles of senior leaders and board members in cybersecurity governance. Part 3 reviews the role of the board in more detail.
Cybersecurity governance should do more than manage cyber risk. Good cybersecurity governance creates efficiencies by clarifying the outcomes expected from its processes and establishing boundaries of responsibility among cybersecurity practitioners, frontline operational areas, senior leaders and board members. Recently, numerous crises have drawn senior leaders and board members down into cybersecurity’s tactical concerns, which limits their ability to perform in their designated roles. This also impacts the cybersecurity organization’s ability to drive priorities to satisfy senior leaders and the board. Cybersecurity leaders can reverse this blurring of roles to every stakeholder’s benefit.
The cybersecurity governance lifecycle
A governance lifecycle for cybersecurity encompasses these fundamental components:
- Drivers, ranging from internal business strategies to external regulations, which inform policy development.
- Policies, which underpin the design of defenses: controls, processes and procedures.
- Risk management efforts via which threats against high-value assets are identified and addressed.
- Assurance mechanisms verify alignment between policies on the one hand and the effectiveness of defenses on the other.
- A governance hierarchy to establish how the cybersecurity function will address findings, handle exceptions, grant approvals, provide transparency to stakeholders and oversee operations of the lifecycle so that the business is protected — while also free to pursue strategy unimpeded.
Lifecycles are iterative by definition, which suggests that one could begin at any point. The key is to establish all of these fundamental components and improve them over time. For instance, one organization might start with ideals about what their policies and procedures need to be, whereas another needs to verify that their controls align with – and provide coverage to address key risks.
In this respect, the lifecycle applies in top-down and bottom-up ways. One example of how this works is ransomware, which continues to change and to plague organizations — and to draw senior leaders and board members deep into the weeds of cybersecurity matters. Bottom-up, cybersecurity teams report on the organization’s exposure to ransomware, on likely impacts and on controls to mitigate ransomware risk. Top-down, senior leaders and directors specify their level of ransomware risk tolerance as a matter of policy.
Do the characteristics of the cybersecurity governance lifecycle just sound like good general governance attributes? They are. Principles of cybersecurity governance are easily extended to IT and enterprise governance as well.
Getting to effective governance
One indicator of effective governance is that participants are comfortable with their knowledge of what needs to be done. They know who owns the next action as new circumstances arise, and they’re confident that the function will manage risks collectively in accordance with leaders’ expectations.
The governance lifecycle is clearly broken when, for instance, the organization has all relevant policies in place but they’re still getting regulatory fines, or they’re continuing to experience risks that don’t align with leaders’ risk tolerance.
All components of the cybersecurity governance lifecycle should be in balance, and a good place to start is to understand expectations and requirements. In other words, drivers of the governance program. Drivers are expectations and requirements contributed by regulators, board members, senior leaders, competitors or third parties. The cybersecurity function builds defenses (policies, standards, procedures and controls) with its drivers in mind, then considers how the organization is managing its risks. In particular, they explore whether controls and defenses are effective in reducing exposure to threats and their cyber risk. They know this exploration is their opportunity to address gaps and strengthen defenses. The risks reduced, risks not addressed and the impact of threats to the organization are reported to senior leaders and the board to create visibility and understanding of impacts that negatively affect operations or strategic focus.
Well-executed, these steps form a cycle that results in balance: the business is not unduly bound by defenses, but is adequately protected. Appropriate cybersecurity defenses actually improve organizational efficiency, because participants understand the boundaries within which they must operate. Cybersecurity expectations are clear and once clear can often be automated and included in organizational practices and procedures. This creates efficiency for the organization.
Because the organization operates in the real world, crises will continue to arise, and cybersecurity leaders must respond. With a sound cybersecurity governance lifecycle in place, the enterprise is better positioned to ensure ample coverage and to balance cybersecurity controls with the pursuit of new strategies and opportunities.
How do I know that I have good governance?
Cybersecurity leaders can assess maturity against this governance model by asking, “How well-positioned is our cybersecurity function to address risks and threats?”
Leaders can also test how well the lifecycle operates on an ongoing basis. Assurance is a critical component of the cybersecurity governance lifecycle because practitioners, leaders and every other stakeholder need to know that the organization’s security practices are aligned with both policy hierarchy and internal and external drivers. Assurance is the foundation of security reporting, which documents and demonstrates the organization’s diligence in protecting stakeholders from undue risk.
Efficient operation of the cybersecurity governance lifecycle stems from a focus on drivers, risks and reporting whereby practitioners implement efficient, effective – even automated – ways to conduct cybersecurity activity. With well-run governance operations, the cybersecurity function trades up from responding to broken-lifecycle problems to focusing on continuous improvement and evolving to respond to new challenges. To arrive at this state, cybersecurity leaders will want to start with incremental change: learning, doing and testing in an agile way as they transform their organizations.
Finally, it’s essential that the cybersecurity governance lifecycle harmonizes with broader IT governance efforts, and enterprise governance. Governance exists to effectively manage risk in an organization. Disconnects between cybersecurity, IT and enterprise governance efforts will impede progress in achieving objectives in all three domains. The next post in this series will address approaches at the senior leadership and board levels to harmonize governance efforts.