Cybersecurity Governance: Transform Mediocrity into Excellence

Good cybersecurity requires full commitment from senior management: in fact the international standard for information security demands it.

The concept of strong leadership lies at the heart of ISO 27001: “Top management shall demonstrate leadership and commitment with respect to the information management system”. That puts responsibility for creating and maintaining an environment in which excellent security can flourish squarely in the C-Suite’s lap.

So gold standard security relies on the top team putting in place first-rate governance to ensure everything works as it should. Information security rests on four key pillars:

1. Leadership and culture: developing a ‘security matters’ culture where staff take pride in caring for the security of the company and their client’s data.
2. Management of risks: C-Suite awareness of the top information security risks will help ensure these are effectively mitigated. Don’t fall into the ‘security for security’s sake’ trap though: arbitrary security controls that are disproportionate to actual risks waste money and can breed resentment.
3. Independent audit: establishing a regime with checks and balances, with separation between delivery and audit.
4. Resourcing: providing the cash, policies, staff, and time required to put technical and procedural security controls in place – and to review and maintain them.

Cybersecurity is a Specialist Skill

Understanding technical vulnerabilities and keeping up-to-date with how to spot and fix them is a specialist skill. Do not assume that your IT specialist is also a security expert: get specialists in to provide independent penetration testing and make sure test findings are resolved.

Also remember: while a dedicated team of specialists can audit and monitor security extremely effectively, the daily delivery of information security must be the responsibility of the entire workforce. There are some specific legal requirements that the C-Suite need to track, which may drive decisions in IT architecture and business processes:

• For companies that operate in several jurisdictions, keeping track of legislation governing information security can be taxing – and for global companies it can be very complex. Regulations can restrict the movement of certain types of information across international borders and the processing of information overseas.
• Maintaining the security clearance required to work with governments and on defence contracts can be an exacting task.
• Certifications, such as ISO 27001, require funding, auditing, and time from senior management.
  Security requirements should inform the selection of suppliers, the design of IT architecture, and even the selection of suitable office space.

The riskiest practices…

Some of the riskiest cybersecurity practices are found in middle to large businesses which manage data in their own customised systems and websites written by their in-house IT teams. These IT systems can be overly complex and unpatched, and are rarely subjected to independent scrutiny.

The risks are frequently compounded by over-reliance on network boundary controls, such as firewalls and routers, creating an organisation with a hard shell that is soft and vulnerable on the inside.

Modern cyber-attacks often get through firewalls with remarkable ease by email, webpage, or removable media, or by infecting mobile devices while they are outside the network. These risks can be addressed by locking down all devices and data stores rather than merely controlling the company’s outer borders.

…and the best

Cloud-based technology can offer even the smallest business, start-up, or sole trader a level of security previously only available to governments, banks, and other organisations with deep pockets. The cloud puts world-class data centres and security architecture, compliant with high international standards, within everyone’s reach for managing security, maintaining software, and resolving vulnerabilities.

Zero infrastructure companies, where all IT systems are provided as services (SaaS) from companies with accredited and verified security in place, often have the least security headaches. Cloud-based device management also helps reduce potential security issues with workstations, laptops, smartphones, and tablets. Moving all your data to SaaS providers negates the need for a wide area network: the internet becomes your infrastructure, with all data encrypted end-to-end in transit by each application.

Even the biggest organisations, with dedicated security specialists and the most risk-averse attitude to information governance, must continually review and improve their practices in order to stay ahead of increasingly sophisticated cyber-attacks.

Checklist for good governance

Senior management needs to ask two key questions to understand the strength of its cybersecurity governance – and the answers must be verified by independent audit. It is not enough to rely on assurances from the IT department that everything is fine and operating as it should.

• What are we are doing to combat the most significant cyber risks we face?

• Is that enough given the size of the risk?

The governance picture is not complete without checking the genuine attitude of employees to security. Do they really care or are they quite complacent? Do they see security controls as an important part of their routine, or as a pain in the neck?

Like financial audit and health and safety, effective governance of information security is not an optional extra, it’s a must. Do it before it ‘bytes’ you!

Author: Adrian Dain, Principal Consultant at Mason Advisory – published in Infosecurity Magazine.