A framework for effective security governance
Zahid Syed, Information Security Officer at Abu Dhabi Ports, writes about the recipe for essential security governance policies and practices in the digital age.
Information Security has become one of the most discussed topics in enterprises in this modern era of technology. Substantial investments are being made in the information security domain to have relevant (physical, technical and administrative) security controls addressing the potential risk to the business. The best-of-breed security solutions are being deployed in the environment and highly skilled information security personnel are being appointed to ensure the protection of the organization’s assets. However, it is often seen that information security is still failing to meet the expectation. There are information security policy violation issues, data leakage, password sharing, staff ignorance towards security advisories and they do not seem to be aware of the consequence of security breach. Even the information security awareness workshops are not effective due to low staff attendance.
All the above challenges and a lot more of the same sort can be addressed by establishing an information security governance in the organisation because technical and physical security controls are just not enough. Information security governance should not only be established but must be made effective across the organisation by following fundamental yet important principles:
Include information security on the agenda of board meetings
Most of the organisations believe that information security is an IT function and all related challenges should be discussed and addressed at the technical level. Since most if not all businesses are highly technology-dependent for their daily operations, information security should be an important topic to discuss in the boardroom. However, senior management still finds it trivial to include information security on the agenda of the board meeting. It was observed in the past that the organisations have suffered a significant business, financial and reputational loss due to the lack of effective security controls.
Executive management commitment to establish information security governance is essential, they must understand the importance of it and support the development of information security culture across the organisation by setting the high-level directives along with the organisation’s risk appetite. Their support plays a vital role to ensure that there are sufficient resources and budget available to design security programs and to enforce and monitor compliance.
Establish information security objectives to achieve strategic goals
Setting S.M.A.R.T security objectives is a key to a successful information security program which must be fully aligned with the organization’s mission, vision, and objectives.
Security programs should be designed to achieve security objectives and they must be driven by the business objectives. Usually, security programs consist of many large complex activities called projects to implement any of the three (administrative, physical and technical) or all three types of security controls to satisfy the information security triad needs.
A security program not being rightly aligned with the business may cause improvident investments which could eventually shake management’s trust in information security and raise financial concerns. A program must be rather developed in alignment with business goals and objective; allowing security to act as a business enabler while being fully aware of associated risks that can either be mitigated, avoided, transferred or accepted.
An example could be a decision made in a board meeting to leverage local cloud services to host all company’s internal and external web services, whereas security team recently invested heavily on the implementation of an “on-prem” web application firewall solution.
Change the business mindset about information security
Tremendous effort should be made by the security professionals to change the mindset of business which perceives information security as a department of obstructions. Hence business does not usually involve security in their decision making purely out of fear that security will slow things down or will cause hurdles in their efforts. This leads to another concern that decisions taken by the business without consulting with security could result in some serious security incidents which may jeopardise the public image and reputation of the company and may lose customer trust in addition to a significant financial loss.
Risk-based culture should be promoted where the risk appetite and the tolerance level are set by the Board of Directors. A detailed business impact analysis must be carried out to understand the value of the asset being protected and the risk it carries to the business which should be weighed alongside the control being placed as a result of risk treatment.
Security professionals must act as business enablers and find the right balance between business and security. Although there may be a situation where business requirement does not fully meet the security standards in which case the risk should be analyzed and communicated to the business owner and the decision should be made based on the condition that the risk impact does not surpass the tolerance level. Information security risk register could play an essential role here to list all the identified risks along with the relevant response from the business (risk owner).
Develop information security culture with clear roles and responsibilities
Information security can be made effective by developing a strong security culture. Executive management should lead by example and do not consider themselves above security controls that certain policies do not apply to them. Employees must understand that they also have a part to play in protecting the company’s information. The culture should be promoted through various communication channels like workshops, frequent advisories, handbooks, regular campaign, quizzes, surveys, etc. Some general responsibilities can also be included as part of the job description for all positions to understand and conform to the organization’s information security policy, data sharing policy and code of conducts. Introduce reward schemes in the company and link it with appraisals or a token of appreciation to encourage employees more to report security incidents. A culture can only be developed if the information security is the subject of discussion and practice at all levels from the board of directors to each junior staff.
Measure the effectiveness of the controls by establishing metrics
Performance monitoring is a key activity for any governance to measure the effectiveness of the controls against the expectation. Management should focus on establishing S.M.A.R.T KPIs that are tailored to the organization, the areas being measured and the audience they are addressed to. The targets should be set through KPIs to achieve specific goals, which should be accurately measured, achievable in a specific timeframe and most importantly associated with a process, practice or control.
A specific set of metrics must be developed for a specific audience. Showing the number of DDoS attacks stopped at the firewall to the board of director will not mean much, Instead, the board would like to see how much the organisation is compliant to ISO standard or how many critical risks have not been mitigated which may have a significant impact on business.
Having a security breach does not mean failed security governance but not knowing that there has been a breach and how to respond to the attack is a sign of failed security governance.