Business-Aligned Security Governance

September 29, 2021

• A host of factors make it increasingly difficult to include cybersecurity in risk governance.
• However, programs that align with business goals allow security teams to focus on higher-value activities.
• When security is embedded in key organizational functions, it fosters a clear understanding of how business and technical imperatives align and how they will interact in a fully integrated risk footing.

Digital transformation (DX), M&A activities and an increase in new product launches make it increasingly difficult for organizations to include cybersecurity in their risk governance activities, driving the need for a sustainable, predictive risk monitoring strategy. The security journey is a progression from an ad hoc program to an infrastructure-based, compliance-based, threat-based, risk-based and business-aligned program.

It’s time to take a step back. Instead of throwing more (expensive) tools at the problem, organizations benefit from a sustainable strategy that’s proactive in monitoring their risk landscape. Programs that align with business goals allow security teams to focus on higher-value activities.

It’s time to stop doing the same-old-same-old and expecting different results.

Many orgs struggle with including cybersecurity in their risk governance activities, a challenge that’s exacerbated because of the accelerating pace of DX, M&A activities and an increasing rate of new product launches. Much of what the industry is doing doesn’t effectively address contemporary challenges. We take an ad hoc approach to tools or we chase the latest compliance mandate in an effort to “be secure” without understanding the real risks we need to mitigate. We fail to meaningfully articulate the health of our risk program and we assume all is well because we haven’t experienced a breach or significant “security-related issue.”

How does Optiv address these issues? What’s the strategy for an effective cybersecurity and information risk program?

Risk and Security should partner with leadership and the board to create a program that aligns with the business as well as its threat landscape. This transformation can be achieved by understanding three areas: business drivers (including the competitive landscape), strategy and goals. These dynamics, along with input from our business partners, help us focus on the enterprise’s most important operational risks.

Risk maturity isn’t a simple process. It’s a journey security organizations undergo to build the right set of capabilities that are prioritized to their business requirements. It keeps the business aware of high-level priorities and helps understand the exposures that can be tolerated.

Programs Evolve Through a Maturity Journey

A program’s maturity journey communicates its general capability footprint. You can’t just stand up a program and expect it to work immediately. Much like psychologist Bruce Tuckman explained in his 1965 paper, “Developmental Sequence in Small Groups,” the path that teams follow on their way to high performance (forming, storming, norming, performing), our security program will progress through a capability journey.

Image

Ad Hoc- and Infrastructure-Based
Programs arise when there’s a need to formalize a set of capabilities. At the earliest stages of building an information security program, we generally identify problems and put out fires. Pro tip: when your security team is constantly putting out fires and security incidents never seem to end, it’s a sure sign of an ad hoc program that reacts to issues rather than responding to the root cause. Without fail, clients in this position lack effective methods (personal heroics don’t count) of tracking the state of the program and the security controls in place. Eventually, they begin to implement technical solutions or formalize administrative processes to prevent the fires, initiating a shift towards an infrastructure-based focus. The challenge at this stage is that solutions tend to be point-focused on specific issues. The org isn’t yet thinking strategically about integrations, sustainability and proactive threat mitigations.

Compliance-Based
Compliance requirements eventually become a bigger focus (especially with evolving privacy regulation), and organizations look to leverage the infrastructure-based protections that have been put in place to enable “compliance.” At this stage, the program’s success is generally linked to things like SOX audits and PCI DSS assessments. Generally, this is still defined as a reactive program. The organization is chasing the latest compliance requirements or updates in order to use them as a mark of success. This stage is difficult to break free of because leadership knows the compliance status (it having been validated by external and independent third parties) and erroneously mistakes compliance for true security.

Threat-Based
Evolving a threat-based mindset is difficult for most orgs. A threat-based lens moves us beyond general-purpose protection schemes and the idea that a control or capability needs to be applied across the organization. We begin to understand what systems and data are most important to our organization as we establish processes to decompose the inner workings of important systems and address how people access data. Teams step back from the details to identify threats to their environment. Time is spent understanding what we are (or aren’t) doing to protect those assets. Using techniques like threat modeling or cyber attack kill-chain analysis, we begin to understand how an attack must travel through our infrastructure to reach a specific destination. With this specific knowledge, the security program can position appropriate defenses at specific steps in the hacker’s path to disrupt the attack.

Risk-Based
At the other end of the spectrum from the “hair-on-fire” security programs are those meaningfully and effectively connected to business operations. We typically encounter them as a result of regular strategy tune-ups and recurring risk assessments. These programs have a plan, adjust the plan regularly and have a genuine sense for where they’re mature and where they aren’t. What’s striking about such programs is that where we find areas of immaturity, it’s usually intentional.

The business understands the value of information security and sees it as a component of managing risk, whether it be operational, regulatory or reputational. Cyber risks are discussed in line with the enterprise risk management function and the discussion of those risks is shifting from a qualitative to quantitative view of potential impacts to the business. The key is that the business has assets to protect and uses information security to safeguard them.

Risk Automation

As the cybersecurity program progresses through its maturity journey, the ability to identify, track and regularly validate our security control posture becomes more critical, much like balancing our general ledger. This is where Governance Risk and Compliance (GRC) systems can be powerful tools in the cybersecurity tool bag. A GRC system helps an organization record and track the status of cybersecurity components and automate risk management functions to drive efficiency and timely risk status reporting.

Business-Aligned
When we’ve reached the pinnacle of our program evolution, cybersecurity is embedded in key functions of the business. We see the security program leader, generally with the Chief Information Security Officer (CISO) title, participating in business strategy development and planning processes. This fosters a clear understanding of how business and technical imperatives align and how they will interact in a fully integrated risk footing.

When operating at a business-aligned level, we must understand that nobody can afford (financially or otherwise) to be highly mature in every possible security control. However, we understand what controls need to be placed where, which controls must be operating at a high level of maturity and where we’re comfortable being exposed (and how much).

Image