Anyone who uses the term governance is throwing around a powerful word. The concept was established in corporate management a long time ago. Within the context of crises and crisis management, governance as a general term has been used since the 1990s to refer to the principles of responsible corporate management and monitoring geared towards long-term value creation. This ongoing discussion about the fundamental principles of sustainable business, which started in the United States and which generally gains in intensity in the wake of company bankruptcies, has become a fashionable topic for debate of late (think of the economic and financial crisis that began in 2008). And governance remains a buzzword today. Nevertheless, it is unfortunately still not exactly clear what aspects the main categories of governance, IT governance and security governance actually cover. A similar uncertainty prevails in the frequent reports on issues of risk management, compliance, and information security.

Systematic and well-integrated governance, risk, compliance and security management incorporate the following factors:

• External governance factors, such as the environment, market, overall economy, politics, legislation and compliance, as well as culture and society.
• Internal governance factors, such as strategy, structure, processes, employees and technologies.

We will now assess these factors in terms of effective control and regulation systems of capital market-oriented companies, a central theme when it comes to responsible, transparent, efficient and secure business management. These factors further break down into the following related areas:

• Governance: Framework of rules and guidelines in place for managing and monitoring a specific company.
• Risk management: Structured process for the uniform, anticipatory handling of risks and opportunities.
• Compliance: The effective and efficient compliance with all legally binding guidelines and regulations.

The most basic principles here are, in simple terms:

• Accountability: Including scope of liability and imputability
• Responsibility: No further explanation required
• Transparency: Openness and transparency of processes and structures
• Fairness: Fair conduct in business competition, playing by the rules

Multifaceted concepts

So governance is a term that, depending on the thematic underpinnings and professional discipline in question, may be understood in different ways. To better understand what governance means from the perspective of information security, one should bring to mind the many aspects of corporate governance, IT governance and security governance:

Governance

On the most abstract level, one might say that governance encompasses responsible, sustainable organization geared towards long-term value creation and steering of activities and therefore the entire system of internal and external performance, control and monitoring mechanisms.

IT governance

Consensus on a definition for IT governance is harder, because it is unfortunately impossible to determine whether a singular definition has already been established. However, there is a tendency towards a common understanding, which can be described as follows:

• IT governance is a part of corporate governance and is closely related to information management, with a great deal of overlap and parallels.
• IT governance deals with the allocation of decision making authority within the framework of a company’s corporate governance as well as responsibilities in relation to IT and the distribution of underlying structures, processes, and relational mechanisms.
• The goal of IT governance is strategic focus on the requirements and strategy on the technical side.

One might then also derive a common basic understanding for IT governance that encompasses the organization, steering and monitoring of a company’s IT resources to ensure the consistent alignment of IT processes with the corporate strategy. Like the company’s governance, IT should ultimately be integrated into a uniform framework that is in line with the company’s business interests and that defines guidelines and standards.

• IT governance is therefore intended as a strategy component and guiding management principle for centralized and decentralized IT.
• For IT management, IT governance is a framework for defining targets to be used in quantifying the configuration of IT resources in terms of hardware, software, and IT processes.

Security governance

So what does this mean for information security and the need for security governance?

Security governance is most easily defined in terms of information security objectives; that is, how does security governance contribute to information security? (Source: IT Governance Institute (ITGI) – ISACA):

• Security governance is aligned with the focus of the corporate strategy with the aim of promoting these goals in the context of information security as well.
• It supports the establishment of risk management as a means of reducing risks to a level that the company finds tolerable or acceptable.
• It generates value through information security investments that optimally promote the strategic goals of the company.
• It develops resource management in such a way that knowledge and infrastructure can be used effectively and efficiently to keep information secure.
• It defines metrics for performance to ensure targets are met and progress is made in the implementation of information security through regular or continuous monitoring and documentation. This allows any necessary countermeasures to be taken in due time.
• It integrates monitoring functions in sensitive locations to ensure that processes work as intended and to maintain the effectiveness of information security measures.

Security governance is thus directly aligned with a company’s information security strategy, thereby establishing the foundation for managing activities in the area of information security. Only in this way is it possible to effectively and efficiently implement information security requirements that are fully in line with a company’s processes.

For this reason information security governance must ultimately aim not only at ensuring IT dependability in a management context (while observing information security management requirements), but must also ensure the controllability, per se, of information technologies.

Accordingly, security governance is a set of clear responsibilities, practices, and principles that are used by the certified information security officer (CISO) and managers to set out strategic goals. This should also ensure effective fulfillment of information security targets. Additionally, there is a need to ensure that risks are managed properly and that a company’s resources are used responsibly.

The CISO shapes effective security governance

First and foremost, overlap between corporate, IT, and security governance and the interfaces with risk, compliance, and information security management must be clearly identified, delineated, and structured to allow a view of the big picture. For company management, the CIO and the CISO, this requires a common understanding of the concept.

The CISO has a key role in the development of security governance practices. The CISO’s management tool is the Security Board, which enables effective development information security throughout the organization. The CISO sees to it that his or her security process is put into practice, and has the following responsibilities (source: IT Governance Institute – ITGI):

• Strategy in the area of information security is developed in a way that is aligned with the business targets and goals of the company.
• A structured, clearly managed, well-maintained framework for the information security management system (ISMS); all activities are conducted in a way that supports the strategy.
• Information security strategy that hinges upon the corporate strategy, taking into consideration security governance, which is based on corporate government and IT governance.
• The development and maintenance of policies that are appropriate to the company’s needs,
• The development of business-relevant scenarios supporting and justifying investments in information security that are appropriate to the situation and exposure of the company.
• The identification of current and potential legal and regulatory requirements or general conditions in the future that are addressed in due time to avoid compliance issues.
• Identifying the potential driving forces for information security in the scope of situational, market, trend, and stakeholder analysis.
• Clearly defining and delegating competencies and responsibilities, and ensuring the appropriate roles and functions are entrusted to the right people.
• Ensuring that internal and external communications channels are firmly established.

Here, the CISO should also ask the following high-level questions:

• What are the major influences on the business in terms of information security?
• Does the CISO have access to the relevant information and analysis? Is the company already assessing these facts? How current is this information?
• Does the CISO have access to studies on technologies that are relevant for the company? Who evaluates these and according to what criteria? How current is this information? Does this already contain implications for information security?
• Is the CISO familiar with all external regulations affecting the company in general and its IT in particular? Is there an (internal or external) department that deals with these questions professionally and continuously? How IT- and compliance-savvy are these specialists?
• Does the company operate internationally? If so, what knowledge and skills does the company have in the areas of intercultural management and cross-border relations?

The CISO should also be able to assess the company’s business model with respect to consequences for its IT and information security:

• Is there a solid, well-communicated strategy in writing that has been actively put into practice?
• Is there seamless documentation of the company’s development and workflow organization?
• Is there professional human resource management? Are the IT and information security requirements adequately taken into consideration?

The CISO must spell out what governance means within the company:

• Is there documentation on effective governance principles? And are these actually put into practice?
• What formal processes are there? How is the CISO affected and influenced by them?

Conclusion

In terms of information security management, security governance encompasses the role of managing planning processes and aims to achieve harmony between the corporate culture, organizational principles, and the actual organizational structure within the company, as well as addressing specific opportunities and technical topics that IT and information security require to handle the market requirements of the industry.

This offers the following advantages:

• It becomes possible for the CISO and managers to make use of clear security governance structures so that they can assess opportunities and IT-related risks with respect to information security.
• It establishes a common vocabulary for governance, risk, compliance, IT and information security.
• It supports alignment with compliance-related legal regulations and requirements.
• It ensures that information security contributes to the performance of an organization and the company.
• Clearly defined, comprehensive security governance facilitates a lasting awareness for IT and information security, which are essential factors for success overall.
• All elements of a governance framework for IT and information security are coordinated in such a way that they are consistently intertwined, implemented, and developed.

Above all, highly regulated industries that may not immediately recognize the positive impact the many new regulations and stricter requirements might have on business must set about creating efficient governance structures. Introducing mechanisms and meeting standards costs money, but those who take the trouble to systemically establish governance in coordination with these mechanisms and standards will discover the long-term, value-oriented prospects that security governance management offers.

About the Author

Flavio Gerbino has been in information security since the late 1990s. His main areas of expertise in cybersecurity are the organizational and conceptual security of a company. Unfortunately this author does not work at scip anymore.

Links

• http://www.isaca.org/About-ISACA/IT-Governance-Institute/Pages/default.aspx
• http://www.isaca.org/itgi/Pages/default.aspx
• https://www.scip.ch/?labs.20160915