This article explores the definition of Governance within the context of Information Security – discussing the core processes involved in implementing a Governance framework, the theories behind influencing lasting organisational change to protect from cyber threats, and the challenges associated with this.
Defining Governance within the context of Information Security
Governance will always mean different things to different people.
In small organisations, Governance tends to be seen as a mere piece of consultant’s jargon. Relationships, politics and decision-making processes are simpler and it is easier to make sure that everyone pulls in the same direction.
But as organisations grow in size and become operationally more complex (often through acquisitions), those aspects become more complex as well. Coherent action becomes less of a natural concept, and making things happen in a coherent manner requires concerted management action.
This is particularly true in the Information Security space because of the inherent cross-silo nature of the actions involved to protect the business. For example, a coherent identity and access management platform requires concerted action across HR, business units and IT – and each of them might have their own agenda and understanding of the problems.
Information Security Governance needs to encompass all the management mechanisms that ensure coherent action across all stakeholders with the view of delivering effective and efficient information protection to the business. It can only stem from a clear Information Security strategic vision and requires all stakeholders to agree on a clear definition of their respective roles and responsibilities.
The term “Governance” has long suffered from a serious lack of comprehension surrounding its meaning, and poor Governance around Information Security has led to many organisations putting themselves at unnecessary levels of cyber risk.
Effective Information Security Governance must involve the proper management of all the activities which an organisation needs to carry out in order to maximise the protection of the information it processes. It should ensure the protection of key information assets from relevant threats through the layered application of the right controls at people, process and technology levels – while managing any element of risk that may result from the absence or inefficiencies of these controls.
The problems with the reactive approach to Information Security
Unfortunately, many large organisations have historically seen and continue to approach Information Security mostly from a compliance angle – essentially managing Information Security issues on an ad-hoc basis, in a reactive manner, in order to satisfy audit and compliance needs. Throwing money at the problem, through vast audit or compliance-driven programmes of work, is often frightfully expensive (in particular for larger firms) and rarely delivers in full across all geographies. While this approach may provide a degree of temporary protection in some areas, it is often financially inefficient – tending to focus on arbitrary controls to tackle arbitrary threats and leaving organisations exposed as a result.
To break this cycle, large organisations need to build a true understanding of the real nature of the threats they face – and the real controls they have in place at people, process and technology levels to protect themselves against those threats. By doing so, many of them will realise that the potential damage that might result from those threats (to operations, finances and reputation) is primarily the result of the absence of (known and implementable) controls at a number of levels. And that effective long-term information protection cannot stem only from reactive or technical one-off solutions.
They will also realise that it is key to bring all the relevant stakeholders on board and drive concerted actions amongst them to fix those problems. To achieve that, large organisations need to build a strategic vision and the right Governance framework around Information Security.
It’s often the responsibility of the CIO to ensure that the whole organisation, including board level management, understand the importance and complexity of Information Security challenges – and architect coherent action through the implementation of a medium to long-term Information Security strategy to engineer lasting protection.
But in order to thoroughly address the issue of Information Security on an ongoing basis, Information Security must become part of a mind-set, embedded into the broader Governance and culture of an organisation. For many organisations, this is a true quantum leap in terms of change.
Creating lasting organisational change within the context of Information Security
For large organisations, where the Information Security focus has been for a long time on tactical projects, real change is always a challenging medium to long-term journey. Effective change has its roots firmly planted in corporate Governance and culture, and can take years to achieve.
From directors who may be unconcerned about the Information Security risk the business faces, to IT teams who may view strict Information Security Governance as a barrier to flexibility and their ability to innovate, it’s important to break down organisational silos and get all stakeholders working towards a common goal.
An effective Information Security Governance Framework is one essential piece of that jigsaw. It should distribute roles and responsibilities clearly amongst all stakeholders and act as a dampener – keeping things smoothly in motion (aligned with business objectives across the entire organisation), while reducing the risk of rapid and potentially damaging negative tactical reactions to Information Security issues.
It is only by getting key employees on-board with a medium to long-term Information Security vision and giving them clear roles and responsibilities as part of a clear Information Security Governance Framework that you can create a sense of direction and purpose – and it’s only through sustaining this over the medium to long-term that true organisational change can occur.
Managing Director
Corix Partners
Find out more about how your business can implement an effective Information Security Strategy and Governance framework by contacting Corix Partners. Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and COOs in resolving Security Strategy, Organisation & Governance challenges.