Five Best Practices for Modern Security Governance in 2020 and Beyond
By: Mohie Ahmed
Corporate information security governance is a foundation upon which organizations can build an increasingly significant part of their overall risk management platform. The foundation of a successful security governance program begins with strong upper-level management support, including the CEO, Chairman and Board Members.
Without the proactive support of those positions that control IT resources, the effectiveness of even the best security posture can fail when pressured by politics and budget limitations.
Especially for large enterprises and organizations in mission critical and highly regulated industries (financial services, healthcare, government, e-commerce and more), security governance strategies must take direction from executive management. Laws, regulations and standards are strengthening, as the risk of external attacks and internal breaches continues to rise. To be effective – to thwart attacks and protect the digital assets of their organization – security professionals (directors, VPs, CISOs and other senior IT leaders) must interact with the “C-suite” and come prepared to articulate risks and share the overall “ROI” for investing in protecting connected data and infrastructure assets.
Here are five best practices for modern security governance in this new year, and new decade, where the digital transformation of nearly every industry, business and government agency shows no signs of slowing down:
- Establish clear responsibilities across the organization, from department leaders to the C-Suite and Board, and dedicate one or more experienced security professionals to architect, implement, manage and report on IT security programs, applications and overall systems. Create and update a security plan each year, and make sure related job descriptions and training, skills, certifications and other evolving requirements are met.
- Set practical security policies and procedures, backed by the authority necessary to enforce compliance. Policies and procedures that are not attainable and don’t provide meaningful security through appropriate controls should be carefully reviewed. Establishing metrics and creating an efficient means for real-time response and regular reporting will aid in the transparency necessary to inform quality governance at all levels.
- Constantly follow new laws and regulations, and make sure to update compliance dates; depending on the size of your organization and the industry you are in, consider hiring an in-house expert on regulations (for example Sarbannes-Oxley, HIPAA, PII, and other laws) and if you operate globally, ensure all privacy and data protection laws in the countries or regions in which you do business are understood and followed. It is no longer feasible to simply “check boxes” – depth of understanding is required, as is support for the IT executive who is responsible for reducing multiple risks and exposures.
- Create a strong “culture of security” by engaging every individual in supporting the security commitment to the organization. This cannot be accidental; it must be intentional. It should be part of every employee’s role to understand what their responsibilities are at all levels, to protect the confidentiality, integrity and availability of data, applications and network infrastructure.
- Finally, the security program should be subject to consistent monthly, quarterly and annual analyses. The results of predictable, periodic reporting can be used to apply lessons learned, improve the effectiveness of existing security controls, and plan future controls to meet new security requirements as new threats are identified.
These five strategies are fundamental to success; the following tactical approach has been proven to lead to successful outcomes across all industries and organizations:
- Design and align the security program based on business needs.
- Develop an information security strategy that drives program investments.
- Create and regularly assess the information security management structure.
- Communicate effectively across the entire C-Suite: CEOs, CIOs, CMOs, CFOs and Board Chairmen and Members.
- Collectively determine and manage acceptable risk; 100% is not always financially feasible, so develop a clear understanding of what leaders may be willing to risk, balanced with resources.
- Create security policies with organizational participation, engaging with managers and line employees.
- Base your framework on industry standards and best practices.
- Prepare continually for internal and external audits.
- Create a security-aware culture through internal communications about protecting data, the consequences of leaks, the risks of attacks internally and externally, and why the security solutions in place make sense, even if they create additional steps.
- Understand the existing and emerging laws and regulations impacting the organization.
- Subscribe to the best reports on real-time security breaches and learn from the security incidents of others.
Privileged Access Management and related technology-based solutions, designed to ensure only the appropriate people access the appropriate information, are an important aspect of any high-quality security governance programs.
We have all found ourselves in a different world of work given the events that have defined 2020, and few professionals are feeling the pressure more than IT and OT teams.
Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”
Two-factor authentication has been around for decades – requiring an additional step between entering a username and password, for example, then entering a one-time security code sent to a mobile device – to access applications, systems and data.