Getting Started with Security Governance for SMBs
Look, I get it - Security Governance isn’t the sexy part of Information Security. Unless of course you are a governance geek like me. Sexy or not, it’s more important than you may think. Governance done correctly should help keep your security program on the rails for the long term and it supports the program in terms of resources and staffing (that should appeal to even the most anti-bureaucratic CISO).
Reasons for Governance.
Corporate Governance in general leads to good risk management and comes as a result of good decision making. The truth is, good Governance and good decision making may be taken for granted by employees and other stakeholders when done well; however, when executed poorly, the results can be disastrous. Despite the spiffy title, the CISO at many organizations does not have a “seat at the table”. Creating a governance process that includes several members of senior management can work to get the voice of security a seat (by proxy) and creates a feedback mechanism that goes in both directions, which can be mutually beneficial.
Why Governance?
It’s important that the CISO does not make risk decisions on behalf of the organization. The CISO is not able to weigh all the pros and cons of business decisions with security implications. It’s not fair to put the CISO in the position of attempting to put the brakes on projects that may lead to enhanced or additional revenue streams. The revenue may outweigh the risk. Maybe the risk can be mitigated to a manageable level. Decisions such as these need senior management input. Taking no risks isn’t the right answer. Disregarding risks may be even worse.
The CISO’s job is to make sure that the cons are understood and included in that decision making process. If you work at an organization that does not consider the CISO’s advice on security, you may be at the wrong organization.
Senior management should also not assume that no news on security is good news about security. Senior management and/or the Board of Directors have ultimate responsibility for security (and everything else). Regulatory requirements such as NYDFS require the Board to be on top of Cybersecurity. Without Governance and reporting, they are simply flying blind.
Simple Governance for the SMB
If you are a small-to-medium-sized organization, security Governance doesn’t have to be complicated. To start, make sure you have defined roles and responsibilities for security including the Governance role. A charter for the Governance group is a good start.
A Governance committee made up of senior leaders and a mix of technology and tech savvy business representatives is needed for effective security Governance. Once established, the Committee needs to meet (I’d recommend quarterly).
The Committee should:
· Evaluate the results of risk assessments and approve risk treatment plans
· Approve Security Policies
· Monitor the effectiveness of the Information Security Program and compliance with applicable regulations
· Support the Information Security Program
Another practice we strongly recommend is to create a Cybersecurity “Calendar of Events”. Simply put, a Calendar of Events maps out the critical tasks that need to be accomplished for the year. This helps the security team keep sight of critical tasks and allows the Governance team to monitor the completion of milestone items. This is a strong practice for maintaining compliance over PCI and other regulations with requirements that must be met quarterly (ASV scans for example), semi-annually (firewall reviews and segmentation testing), and annually (PCI risk assessment for example).
If you want to learn more, or dive deeper into Security Governance, please reach out to me here at SEVN-X. Our goal is to help you Achieve Better Cybersecurity and we’re happy to help!
