Cybersecurity Governance Overview

Another similar six cyber security governance steps diagram:

Note: https://www.ncsc.govt.nz/assets/NCSC-Documents/NCSC-Cyber-Security-Governance.pdf

1.1 ESTABLISH CURRENT STATE 

1.2 DEFINE TARGET STATE  

Once the existing state of cybersecurity is known and fully acknowledged, the future or target state may be defined based on weaknesses and deficiencies, risk and vulnerabilities, and the extent to which the enterprise will be able to change and adapt to the trends in attacks, breaches and incidents. Where the target state is not clearly understood, it is unlikely that a transformation approach will be successful. 

Typical pitfalls include: 

 • Lack of realism—The target state is formulated as a wish list for perfection, rather than the next obvious (and stable) state of overall cybersecurity. 

 • Escalating commitment—The target state is defined as “just a little more of what we are doing now,” without incorporating the changed threat and vulnerability landscape, not to mention actual attacks and breaches. 

 • Blurred vision—The target state is defined based on wrong assumptions—e.g., where organizational management does not incorporate future trends in cybercrime and cyberwarfare. 

 • Governance model bias—The current governance model (e.g., “zero tolerance” or “we are insured”) is maintained, ignoring strong signals that it may be dysfunctional. 

 In transformation thinking, the target from a governance perspective is to identify the next stable—and, therefore, achievable—level at which cybersecurity will be able to meet the needs of stakeholders, and at which there will be a reasonable level of protection against attacks and breaches. Transforming cybersecurity is a repetitive and iterative exercise that resembles a life cycle rather than a one‐off project.

1.3 STRATEGIC AND SYSTEMIC TRANSFORMATION  

The distance between the current and future states of overall cybersecurity is subject to governance as well as management. Once the target state has been identified and defined, there are two dimensions of change that need to be planned, managed and monitored. The strategic dimension covers setting strategy, planning and implementing high‐level steps, and initiating a program and related portfolio of cybersecurity projects. The systemic dimension addresses dependencies between parts of the cybersecurity system that will have an impact on how change will be achieved and what will be the immediate and secondary effects. 

 Transforming cybersecurity in a systemic way also means that any changes will need to be examined with regard to unwelcome side effects. As an example, the deployment of an awareness program for employees may be beneficial in terms of improving vigilance and attention to detail. However, an unwelcome secondary result might be that a large number of “false positives” increases the cost of incident management and
distracts attention from real (but unobtrusive) APT attacks. More complex dependencies may exist in cybersecurity systems that will only come to light if the transformation is seen as a systemic and holistic exercise.

Information security governance in general sets the framework and boundaries for security management and related solutions. This necessarily includes formal policies, procedures and other elements of guidance that the agencies are required to follow. However, where governance in its best sense means “doing the right things,” it needs to take into account that a large part of cybersecurity is concerned with handling unexpected events and incidents.

Cybersecurity governance is both preventive and corrective. It covers the preparations and precautions taken against cybercrime, cyberwarfare and other relevant forms of attack. At the same time, cybersecurity governance determines the processes and procedures needed to deal with actual incidents caused by an attack or security breach. In this context, governance principles and provisions must be reasonably flexible to allow for the fact that attacks are often unconventional, generally against the rules, and most often designed to circumvent exactly those procedures and common understandings within the organization that keep the business running. Establish Cybersecurity governance with following six‐step approach as explained below:

 

STEP 1: IDENTIFY STAKEHOLDER NEEDS 

• • Determine the internal and external (usually restricted) stakeholders and their  interest in organizational Cybersecurity. 
•  • Incorporate  confidentiality  needs and mandated  secrecy  in  the identification  process. 
• • Understand how cybersecurity should support overall enterprise objectives and  protect stakeholder interests. 
• • Identify  reporting  requirements  for  communicating  and  reporting  about  cybersecurity (contents, detail). 
• • Clearly  define and articulate instances  of  reliance  on  the work  of  others (for  external auditors). 
•  • Define and formally note confidentiality and secrecy requirements for external  auditors. 

STEP 2: MANAGE CYBERSECURITY TRANSFORMATION STRATEGY. 

• • Review legal and regulatory provisions in cybercrime and cyberwarfare 
•  • Identify  the  senior  management  tolerance  level  in  relation  to  attacks  and  breaches. 
• • Validate  business  needs  (express  and  implied)  with  regard  to  attacks  and  breaches
• • Identify and articulate any game changers or paradigm shifts in cybersecurity. 
•  • Document systemic weaknesses in cybersecurity as regards the business and its  objectives 
• • Identify and validate strategy for cybersecurity (“zero tolerance” vs. “living with  it”) 
•  • Identify  adaptability,  responsiveness  and  resilience  of  strategy  in  terms  of  cybersecurity attacks and breaches 
•  • Identify  any  rigid/brittle  governance  elements  that  may  inadvertently  be  conducive to cybercrime and cyberwarfare (e.g., instances of over control) 
• • Define the expectations, in alignment with strategy (“zero tolerance” vs. “living  with it”), with regard to cybersecurity, including ethics and culture. 
•  • Highlight any ethical/cultural discontinuities that exist or emerge. 
•  • Define  the  target  culture  for  cybersecurity,  and  develop  a  cybersecurity  awareness program. 
• • Obtain management commitment for the selected strategy 

 

STEP 3: DEFINE CYBERSECURITY STRUCTURE 

Structure 

• • Define  the  Cybersecurity  organizational  structure  –  an  appropriate  platform/committee,  in alignment with  information  security and information  risk functions. 
• • Highlight  any  barriers  or  other  organizational  segregation  of  duties/information. 
• • Mandate an appropriate cybersecurity function, including incident and attack  response 

 

Roles and Responsibilities 

• • Determine an optimal decision‐making model for cybersecurity— this may be  distinct and different from “ordinary” information security 
• • Define high‐level RACI (responsible, accountable, consulted, informed) model  for cybersecurity function, including any external resources. 
• • Consider any extended decision rights that may be applicable in crisis/ incident  handling situations. 
• • Determine  cybersecurity  obligations,  responsibilities  and  tasks  of  other  organizational roles (including groups and individuals). 
• • Ensure cybersecurity participation at the steering committee level. 
•  • Embed  cybersecurity  transformation  activities  in  the  steering  committee  agenda. 

 

Communications 

• • Establish  escalation  points  for  attacks,  breaches  and  incidents  (information  security, crisis management, etc.)
• • Define escalation paths for cybersecurity activities and transformational steps  (e.g., new vulnerabilities and threats). 
• • Establish fast‐track/crisis mode  decision procedures with escalation  to senior  management. 
• • Identify  the  means  and  channels  to  communicate  cybersecurity  issues  and  information. 
• • Prioritize cybersecurity reporting to stakeholders by applying the principles of  least privilege and need‐to‐know basis. 
• • Develop appropriate guidance for associates. 

 

Integration 

• • Integrate, to the appropriate extent, the cybersecurity direction into the overall  information  security  direction,  and  highlight  areas  of  cybersecurity  that  are  deliberately kept separate and distinct. 
• • Establish interfaces between the cybersecurity function and other information  security roles. 
• • Embed  cybersecurity  reporting  into  the  generic  reporting  methods  for  information security. 

 

STEP 4: MANAGE CYBERSECURITY RISKS   

• • Determine  risk  appetite/tolerance  levels  in  terms  of  cybercrime  and  cyberwarfare attacks and breaches at the board/management level.  
• • Align  risk  tolerance  levels  against  the  overall  strategy  (“zero  tolerance”  vs.  “living with it”). 
•  • Compare  cybersecurity and generic information  security  risk  tolerance levels  and highlight inconsistencies.  
• • Integrate  cybersecurity  risk  assessment  and  management  within  overall  information security management.  

STEP 5: OPTIMIZE CYBERSECURITY RESOURCES  

• • Evaluate  the  effectiveness  of  cybersecurity  resources  in  comparison  with  information security and information risk needs. 
•  • Validate cybersecurity resources in terms of specific goals and objectives.  
• • Ensure  that  cybersecurity  resource  management  is  aligned  to  overarching  information security needs.  
• • Include external resource management.  

STEP 6: MONITOR CYBERSECURITY EFFECTIVENESS  

• • Track cybersecurity outcomes and effects, particularly with a view to changes  in attacks/breaches/incidents. 
• • Compare  outcomes  against  transformation  steps  and  milestones  –  initial  (current state) and future (target state) expectations.  
• • Integrate  cybersecurity  measurements  and  metrics  into  routine  compliance  check mechanisms.  
• • Evaluate threats and vulnerabilities relevant to cybersecurity, and incorporate  the changing threat landscape into cybersecurity strategy.  
• • Monitor  the  risk  profile  for  attacks/breaches  and  the  corresponding  risk  appetite  to achieve optimal balance between cybersecurity  risk and business  opportunities.  
• • Measure  the  effectiveness  of  cybersecurity  resources (internal  and  external)  against defined information security needs, goals and objectives. 

Note: https://www.moheri.gov.om/userupload/Policy/Cyber%20Security%20Governance%20Guidelines.pdf

NIST describes IT governance as the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.

Governance: doing the right thing.
Management: doing things right.

Cyber Security : Governance vs Operation

Governance is an important topic in cybersecurity, as it describes the policies and processes which determine how organizations detect, prevent, and respond to cyber incidents. In many organizations, there is a division between governance and operation (management). Those who work in governance tend to emphasize strategic planning, whereas operation (management) deals with the day-to-day operationalized approach to security. Sometimes this results in different leadership perspectives.

Making the organizational move from a divided hierarchy to one in which strategy informs operation (and operation informs strategy) is a difficult challenge. Communication is key to effectively managing expectations, messaging, and security posture throughout the process.

Detect, prioritize, and control

Operational controls – the real-life response to a cybersecurity incident – should be the focus of any security program. Managing these controls and reporting to a governance structure may not require the knowledge of operationalization, but instead may rely on an agreed-upon level of confidence in respect to risk management involving both governance and operational leadership.

In addition to working alongside governance experts, operational controls managers should measure their security posture against a framework or baseline such as the CIS Controls™ or NIST Cyber Security Framework. Conducting such an assessment is important, as understanding your organization’s compliance levels is key to finding weaknesses in the organizational controls as well as the prioritization of investment for strengthening controls.

A previous blog post discussed calculating your risk-reduction ROI; after identifying weaker controls, we can start to use this single calculation to define what provides the greatest level of return on investment as well as the greatest reduction in risk. In future blog posts, risk will be discussed with respect to quantitative analysis, using a Monte Carlo simulation to demonstrate how a single risk and control mitigation can provide an overall reduction in risk to the whole organization.

With clearer reporting and analysis of risk reduction, we can bridge the gap between governance and operational security, leading to better strategic decision making and a more unified approach to the cyber threat landscape.

Note: https://www.cisecurity.org/insights/blog/breaking-the-divide-between-governance-and-operational-cybersecurity

Plan - Do - Check - Act model

The ICGM utilizes a Plan, Do, Check & Act (PCDA) approach that is a logical way to design a governance structure:

• Plan. The overall GRC/IRM process beings with planning. This planning will define the policies, standards and controls for the organization. It will also directly influence the tools and services that an organization purchases, since technology purchases should address needs that are defined by policies and standards.
• Do. Arguably, this is the most important section for cybersecurity and privacy practitioners. Controls are the “security glue” that make processes, applications, systems and services secure. Procedures (also referred to as control activities) are the processes how the controls are actually implemented and performed. The Secure Controls Framework (SCF) can be an excellent starting point for a control set if your organization lacks a comprehensive set of cybersecurity and privacy controls.
• Check. In simple terms, this is situational awareness. Situational awareness is only achieved through reporting through metrics and reviewing the results of audits/assessments.
• Act. This is essentially risk management, which is an encompassing area that deals with addressing two main concepts (1) real deficiencies that currently exist and (2) possible threats to the organization.

Note: https://www.linkedin.com/pulse/integrated-cybersecurity-governance-model-plan-do-check-tom-cornelius/

Plan – Policies & Standards

Do – Controls & Procedures

Check – Reporting & Assessments

References

• Cyber Security Governance A Component of MITRE's Cyber Prep Methodology