Security Governance or an Elephant Fight?

There is an African proverb that says, “When elephants fight, it is the grass that suffers.”¹ This proverb could be used to describe leaders whose disputes and divisions end up hurting innocent people. In the context of an organization, when two (or more) leaders’ work does not align, it may be reflected by a lack of alignment in lower levels of their teams, in some cases triggering a fight between areas.

Identifying those signs of misalignment in a timely manner can help organizations create cultures of good governance.

Governance, the Key Component

One of the most common information security tasks is to solve problems as soon as they are noticed. These problems are not necessarily security incidents, which, of course, should be solved as quickly as possible; there are other information security issues that information security teams should avoid repeating in the future instead of finding a quick resolution. For example, if there is a need to block any kind of traffic in the network, time and effort are needed to analyze the case and ensure that it does not block any business application using this traffic. This forward-looking approach is a good governance practice from the information security perspective.

Most experts agree on the benefits of good information security governance and on how critical it is to any kind of organization, irrespective of it being public or private and regardless of its volume or any other criteria. Some of the benefits of good information security governance are:²

• Providing assurance of policy compliance
• Reducing uncertainty in IT business operations by reducing risk to a defined and accepted level
• Achieving confidence that critical decisions are not based on incorrect information
• Addressing the increasing potential for civil or legal liability inuring to the organization
• Improving trust among customers
• Deploying methods to protect the organization’s reputation
• Taking steps to effectively manage information security resources

Regulated industries have extra motivation to effectively deal with data because they are subject to regular audits. It should be more common for them to follow best practices and use known frameworks.

But in today’s environment, almost all organizations are affected by data protection legislation that, to a certain extent, allows organizations with less compliance pressure to improve their security overall and avoid significant fines. In some cases, regulation helps embed compliance in corporate processes with high management support, thereby replacing corporate self-interest with governance decisions. In this scenario, those organizations can then take advantage of this governance focus to also implement good information security governance frameworks by using data protection legislation as a leitmotif, or the traction, to use a framework.

When management supports corporate security, it is like corporate culture: It flows to each and every corner of the organization and improves compliance by reducing the overall risk. This especially helps security teams defend the organization’s interests when developing security projects that affect the entire organization. In the end, as mentioned by ISACA, information security management helps organizations achieve their objectives by preserving their value and reducing risk as key benefits of enterprise governance of information and technology.³

In relatively few cases can management consider governance as just filling in forms provided by external consultants and keeping track of the evolution based on how fast those templates are completed. But digitized organizations are more and more dependent on IT for their improvement and growth. Information security governance is a complex polyhedron; there is not a single model that suits several organizations, and it requires that the board “be willing to accept more accountability for I&T and drive a different mind-set and culture for delivering value from I&T”⁴ and, therefore, from information security as well.

Good information security governance practices are embedded in the organization’s culture in the same way a lack of good governance practices are embedded. Thus, it is important for the technical areas to be able to identify the signs of a lack of governance so they can be properly addressed.

Leadership teams agree that better IT governance leads to two things in particular: better economic outcomes (92 percent) and more business agility (89 percent).⁵

Addressing Policy Violations

It takes time and experience to realize how important valid policies are to an organization. Even if this importance is expressed in every framework, it is truly appreciated in an organization with a valid policy framework in place, one approved by the board or its delegates that is communicated, accessible and updated at planned intervals. A policy is not a document saved in a certain part of the organization’s intranet that is written by someone and revised by a couple of teams.

At some point, someone in the organization will not know or will not follow the security policy, and then a new discussion will start and will probably be followed by an escalation process (as has probably happened before):

• On the one hand, the security team will likely use that policy as an enforcement argument. So, for them, the policy is a well-written document that is valid as a policy.
• On the other hand, the business team will likely use its customers’ needs as an unimpeachable reason to defend its needs. The policy document, possibly seen for the first time by business management during this escalation process, will probably be ignored.

It is easy to figure out who will win without valid policies and how frustrating it will be for the security team to try to enforce users to follow policy with not enough support. There will be an unnecessary fight between the two managers of the organization with future consequences for both teams if discussions occur over and over.

Issues With the One Problem, One Tool Approach

As soon as a new information security need is identified, an organization tends to apply a solution. This seems like a positive at first, and it is key when information security addresses an incident. But if the information security team follows a good architecture framework such as The Open Group Architecture Framework (TOGAF),⁶ for example, it may see that a business need could be covered by one of the current solutions supported by the architecture. Otherwise, the security group needs to launch a process to give coverage to this new need. In this case, a governance framework is a key component for the proper assurance of security in the organization.

From the security team’s viewpoint, it is important to involve all significant departments in the deployment decision-making processes to understand the impact this new deployment may cause and also take advantage of the knowledge in these other areas of the organization. That is governance, after all.

In some cases, security might feel rushed or feel the need to prove a results-driven approach, which drives security in a direction in which it has to apply the right tool as soon as possible (or even before the issue occurs) to solve the identified problem. The security team must then deploy the solution organizationwide to try to reach 100 percent of the enterprise’s assets. But, in fact, one tool cannot operate alone; it must work jointly with other applications, tools, processes and, of course, other areas of the organization. Security now probably faces different issues trying to deploy a tool without proper governance support, but the following two concerns must be kept in mind:

• Gaps—The proposed solution might be seen as annoying and not a feasible solution for other departments. They may have other needs or priorities that prevent accepting this new tool being applied to their scope. Since the security team may not have management support, the solution will probably not have an organizationwide scope and, hence, the global risk will not be reduced. Not to mention the friction between areas is likely to appear again.
• Overlaps—If other departments have their own solution, the main project will be perceived as an interference to their scope. As a result, the organization will end up having two tools performing the same task.

These issues affect the organization with regard to risk management, where some identified risk will not be sorted out in some parts of the organization. It may also have financial consequences because the organization is covering the same risk twice within different scopes.

Integrated Risk Management

Specialists in a particular area of the organization’s environment have their own opinions about each identified issue, how to prioritize them, how to solve them and so on. Fortunately, there are other professionals in the organization with different points of view who can be called upon for their expertise. This is why it is important to have an overall view of the entire organization’s risk areas to best manage them.

Once the risk is identified, the enterprise tends to demonstrate, from a technical perspective, the findings or evidence of the identified risk, explaining what is likely to happen if the risk materializes and the possible issues one may face if the organization does not apply risk-reduction measures as soon as possible to handle that risk.

Unfortunately in some cases, the risk is explained to management and also to other participants within the risk environment, but without enough success in terms of direct measures to effectively reduce it.

When information security tries to defend its position because it firmly believes that there is a considerable risk for the organization, it needs to bear in mind that this risk is being properly evaluated by management and, at the same time, competing with other risk factors in upper layers of the organization. From a technical point of view, information security needs to ensure that risk is being evaluated in terms of its impact on business to make easier for management to evaluate risk in its own language.

Promoting integrated risk management can help information security not only defend the risk identified, but also provide the required visibility for management to care about other risk in the organization.

Shadow IT

Shadow IT is a well-known term used commonly to refer to a solution where other non-IT areas in the organization build and use IT resources without explicit authorization and out of the IT department’s control. In principle, it is a bad practice, even if extended to cloud services.

Some defend using shadow IT because this practice promotes innovation.⁷ Things that promotes innovation such as prototypes should be acceptable if they are explored with management’s authorization (and investment) and isolated from the corporate IT network. (If these conditions are met, it is not considered shadow IT.)

When someone in the organization is thinking of a new project involving IT, they may use shortcuts for the following reasons:

• Gaining speed
• Avoiding security controls
• Accessing the Internet directly
• Managing virtual environments

The teams in charge of the new project may want to take these shortcuts in the early stages to avoid discussions with security teams and to provide the first deliverables of the project to the organization as soon as possible. If that happens, the organization will not be able to ensure security baselines as part of matured processes, e.g., maintaining the asset databases, patch management. Even worse, in the event of a zero-day vulnerability, these assets will be out of control of IT to be correctly patched or contained.

Information security departments should deliver their work in a multi-tenant way, listen to all areas to gather their requirements as if they were customers, and identify if the organization is currently covering this demand or if they need to launch a new internal demand process in a formalized architecture process such as the TOGAF framework. The security department will ensure that all demands follow the demand process to establish that everything is well managed. In addition, this process will ensure one of the key components of security: the full inventory of the organization’s assets.

Lack of Centralized Inventories

“We cannot manage what we do not know.” The author of this sentiment is unknown, but the expression is used often. Inventories are considered a key component from both information security and audit perspectives.

In today’s world of frequent urgent patches, inventories have become essential to making sure that information security groups are not inviting guests to come into an organization to exploit a known vulnerability because nearly all systems were patched. One must take into account that there are several reasons why many organizations do not have a single and complete inventory: mergers and acquisitions, legacy systems and applications, shadow IT, and so forth.

Another well-known maxim says that security is only as strong as its weakest link. It is important to realize that after investing in one (or more) tool, if each area of the organization has its own inventory (e.g., innovation department, marketing), it is not possible to ensure that 100 percent of systems are well patched and updated because not all of them have been tracked and managed. Therefore, the current risk is unknown until IT manages all the systems in the organization.

Information Security Scorecards

As written by the Security Executive Council, “Arguably the most common challenge among security leaders is being able to communicate the value that risk management services and programs bring to the organization.”⁸

Information security needs to bear in mind that the board and executives are focused on strategy and guiding the organization in the right direction. The board probably receives a lot of input from different sources such as partners, consultants, published reports, conversations with peers and other interactions, and it always has a lot of information it is considering. Keeping the board informed about the organization’s quantitative information can help it better know what is happening in the organization. Information security has functional management focused on operations and tactics for different projects or initiatives, and nearly all of them will probably be aligned with the organization’s strategy.

In some cases, technical teams receive some assumptions from executive management that are seemingly not aligned with the security projects currently being carried out. This probably explains why information security is continuously in need of improving how it regularly feeds direct management with enough relevant information using a language for the targeted audience and delivering quantitative information (from automated systems if possible) to provide regular information in a defined period.

Measuring activity and continuously monitoring it is a key value that technical teams can deliver to senior management; therefore, the integrity of this information is a crucial factor to help management make better decisions based on facts and proven by quantitative information. This helps avoid any possible assumptions management may have. It also helps information security teams demonstrate continuous value delivery and ensure that they are working on relevant projects for management (figure 1).

Efficient reporting is also important to close some gaps between senior leadership’s main concerns⁹ regarding information security and the effective reality that the security team reports to them. Consider the following data from a global survey of executive leaders and board members (figure 2):

• Forty-four percent of those surveyed consider cybersecurity policies and defense as the number-one priority.
• Thirty-six percent of respondents consider risk management policies as the number-two priority.
• Approximately 90 percent of respondents believe that technology governance leads to more business agility and better economic outcomes.
• Only 21 percent of leadership meetings cover security topics every time, and only 39 percent of those who responded discuss security in some leadership meetings.¹⁰

In financial crisis periods, senior management tends to cut budgets in almost all areas, so reporting is a key activity that security management need to excel at to maintain its current budget or at least to determine the minimum amount needed for the coming months or years.

Leveraging the Framework

There are a number of advantages when using an information security management framework, no matter which one the organization has decided to deploy. It is worth noting the framework should be properly deployed as a whole to avoid creating isolated controls using only some of them, creating risk gaps by not covering the entire scope, or overlaps by duplicating measures and costs.

Security teams may also decide to use more than one framework for specific functions based on different needs. A good governance framework with a global scope can be used in conjunction with other frameworks that are specific to certain organizational needs.

For example, it is appropriate to use a framework such as COBIT or the International Organization for Standardization (ISO) ISO 27001 standard for the global scope with clear global requirements and related documentation, and then use other frameworks based on specific needs such as cloud services, industrial environments, data centers or critical infrastructures.

What is most important is to ensure that security employees always know which framework is working in which environment. That requires a much more structured way to work to avoid the previously mentioned gaps and overlaps and, at the same time, be beneficial for the way each technical area would report to management. This allows for easy integration of different scorecards and grants them a clear view of the risk in each environment in a structured and convenient way to compare risk among peers.

Conclusion

Senior management’s support is key for all initiatives to ensure that objectives are met and the expected value is delivered. Bearing in mind that executives have many other things on their minds, security teams must remember that they have an important role in supporting these initiatives, which information they need to acknowledge, and how security can contribute to this in line with their needs and in a given period of time. The security team must also be part of new business initiatives by proactively proposing compensatory measures until final controls can be implemented to ensure agility in those new business initiatives.

The strategies presented herein are not an exhaustive inventory of signs security personnel can identify as part of improvement in coordination with corporate governance. In any case, it is good to identify the signs and allow security teams to work on them in a more structured manner.

Since it is not always easy to establish formal ways to report to management, it is important to persist in working in project mode to prove value with quick wins when possible, not only in terms of risk reduction, but also in having confidence that the levels of risk are always known and controlled to be at the most acceptable level.

Author’s Note

All opinions expressed in this article are the author’s own based on professional experience and do not represent the views of the entities with which the author is involved.

Endnotes

¹ “When elephants fight, it is the grass that suffers,” Oxford Dictionary of Proverbs, Oxford University Press, UK, 2009
² ISACA, CISM Review Manual, 15^th Edition, USA, 22016, https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004Ko8EEAS
³ ISACA, COBIT 2019 Framework, USA, 2018, https://www.isaca.org/resources/cobit
⁴ Ibid.
⁵ ISACA, Better Tech Governance Is Better for Business: A 2017 ISACA Research Report, USA, 2017, www.isaca.org/info/2017-isaca-research-report-better-tech-governance/index.html
⁶ The Open Group, “The TOGAF Standard—Version 9.2,” www.opengroup.org/togaf
⁷ Gregory, R. W.; “Sí, Puedes Puentear a TI,” IESE Insight 152, IESE Business School, May 2019
⁸ Security Executive Council; “Defining the Value of Security’s Accomplishments,” July 2018, https://www.securityexecutivecouncil.com/spotlight/?sid=28165
⁹ Op cit ISACA, Better Tech Governance Is Better for Business: A 2017 ISACA Research Report
¹⁰ Ibid.