Governance is basically a set of rules and policies through which an organization is directed and controlled so that it is focused towards its goals.
As an overview, if the management is about running the business, governance is about seeing that it runs properly. Before we move further, we need to understand it with a few use cases; otherwise, it will just remain theoretical concepts.
Let's understand this with an example. Small Corp. has started to deal with delivery services. There are three deliveries that are currently pending. Let's look into the management and governance perspective:
- Management:
- Matt will pick up the first and second deliveries at 8 am and deliver them by 11 am
- Alen will pick up the third deliver it by afternoon 3 pm and deliver by 7 pm
- Governance:
- Are all the deliveries being delivered on time?
- Is everything being done is perfect as per as legal and regulatory laws?
When we speak about information security governance, the board members of the organization should be briefed about it and should:
- Be informed about the current information security readiness in organization
- Set direction to add policies and strategies, and to make sure that security is a part of new policies
- Provide resources for security efforts
- Obtain assurance from internal as well as external auditors
- Assign management responsibilities
Let's look into some of the real-world use cases that may be part.
In one of the organizations that I have worked with, although the security posture was good, the board members used to stress and get the audit done by external auditors. So, the external auditors used to come and check every control. Their firewall admin used to sit with our firewall admin and look into individual rules and so on.
All that the board members wanted to hear from the external auditor was: all OK or bad?
When we speak about briefing board members or the CEO about information security governance, it is important to speak their language.
Let's say, a firewall admin cannot say that there are advanced persistent threats and for this, we need next-generation firewalls. They might fire him even though he might be the best firewall admin in the organization.
Thus, the representative must speak their language, and thus CISO, CIO, or others should represent the current security threats, current preparedness level, and future plans for which the board can approve new budgets and discuss further:
- It is the responsibility of the senior executives to respond to the concerns raised by the information security expert
- In order to effectively exercise enterprise governance, the board and senior executives must have a clear vision of what is expected from the information security program
- IT security governance is different from that of IT security management as security management is more focused on how to mitigate the risks associated to security, and governance is more concerned about who in the organization is authorized and responsible for making decisions:
Governance
|
Management
|
Overseeing the operations
|
Deals with the implementation aspect
|
Making policies
|
Enforcing policies
|
Allocating the resources
|
Utilizing of the resources
|
Strategic
|
Tactical
|
- Nowadays, increased corporate governance requirements have caused organizations to look into their internal controls more closely to ensure that the required controls are in place and are operating effectively.
Let's understand this with an example. John is a new CISO and has joined Medium Corp.. After joining, John realized that most things that the organization had been doing were incomplete. At the end of the year, when the auditor came, more than half of the things didn't work, backups were failing, audit trails were not being recorded across many servers, and so on.
So, John decided to implement the NIST Cybersecurity Framework, and as an overview, if you follow the industry standards frameworks such as NIST, you can be sure that your organization is in great shape with respect to security.