What is governance and how does it pertain to cybersecurity?

Defining governance in a cybersecurity context

The concept of governance should not change all that much when its context is narrowed to the realm of cybersecurity. It shouldn’t, but it often does, and to what extent and what manner it strays from the original intent depends on to whom you look for explanation. In actual practice — as opposed to marketing literature — enterprise cybersecurity governance informs you of the decision-making processes and implementation practices used in asserting the following:

• Organizational alignment with the objectives of cybersecurity programs, including resilience and rapid response
• Full and clear documentation of all rules, policies, and regulations the organization is committed to follow
• Complete and comprehensive definitions of all frameworks, guidelines, and associated controls for responding to security incidents
• Roles and responsibilities of all people tasked with overseeing and implementing cybersecurity measures, plus all people tasked with assessing, analyzing, and evaluating risk
• Communications policies and procedures for informing stakeholders and customers of the organization’s cybersecurity frameworks, as well as of incidents to which cybersecurity personnel respond
• Performance review guidelines and evaluation procedures detailing how the organization prepares itself for security events, maintains self-discipline in the meantime, and responds to those events when they occur

When stakeholders need to know how their organization would respond to a potentially catastrophic cybersecurity event, it should be governance measures that inform them as to every foreseen detail. Governance answers the questions that begin with, “What would they do if...?”

Why this explanation of governance might seem contradictory

It’s not accurate to say “governance” is synonymous with “leadership.” Leadership is a state of being. Governance explains a process — a way of doing something that fulfills a concrete objective. It’s wrong to say governance is the directorship of a company. Directorship often comes from a board, which may or may not include executives. It’s wrong to say governance only flows from a Chief Information Security Officer (CISO), or from any executive holding a CxO title. Governance is achievable in organizations without an independent CISO.

Cybersecurity is everyone’s business. The most secure organizations are those whose stakeholders are all motivated to protect the flow of information, without somebody on a throne or pulpit feeding them memoranda reminding them to do so. Governance establishes how the organization is structured so that everyone can make a positive contribution to cybersecurity.

A company’s governance principles are more about how things are designed and intended to work in the company, including:

• How the company is structured, particularly with respect to which roles ultimately represent the company as a whole before the law, before its shareholders, and before its customers
• How the company’s mission statement, goals, and objectives are addressed and made real through its practices, programs, and projects
• To whom the responsibility for undertaking these programs and projects is delegated
• To whom the responsibility for overseeing those undertaking roles is bestowed

In the context of cybersecurity, governance asserts how an organization assumes responsibility and authority for the flow of information that the organization handles. Cybersecurity is ultimately about the protection of information. Too often, cybersecurity is defined in the restricted context of systems, networks, and computers — collectively referred to as information assets. Such definitions are themselves restricted to the use of technology to secure these electronics, and even to automate that technology to minimize human involvement to the extent possible. Even the U.S. National Institute of Science and Technology (NIST) maintains a multitude of somewhat contradictory definitions for “cybersecurity” (one security engineer collected four separate ones, but since then a fifth cropped up). Choose any one of these definitions, and at least someone at NIST would uphold your reasoning, although someone else could easily declare you’re not “in compliance.” (Governance and compliance are often confused with one another.)

Specifically, if you maintain that cybersecurity is entirely about systems and technology, then governance in the cybersecurity context would be limited to the roles and authorities for the authenticated roles of technology users within an organization.

This is not what “governance” has come to mean for the world at large, nor is it what the term meant when it was coined. At the heart of the matter, governance establishes the flow of authority and directorship within a company. It does confirm where “the buck stops,” to borrow the classic phrase from Harry S. Truman’s desk, but it also specifies how the buck is subdivided, delegated, and distributed among designated representatives. Indeed, the true meaning of “secretary” is a person entrusted with confidential information. Governance is the flow of responsibility within an organization, from which you may deduce the flow of confidential information.

This departmentalization of the company establishes chains of authority and seniority that directly lead to the formation of chains of custody for information that flows through the company. The exploitability of a company by a malicious actor, whether inside or outside the company, as well as the resilience, diligence, and vigilance the company demonstrates even in the absence of an obvious threat, are all direct products of the structure and delegation of authority asserted by its governance plan.

LEARN MORE FROM SIMPLERISK

• Governance 101: Back to Basics by Ashley Swoope, Digital Marketing Director, SimpleRisk

Which parts of governance are written down? 

Many countries are proud to uphold their foundational principles with what their laws describe as a constitution. For most countries, the constitution is a document to which you may refer for guidance. For a few others, it is an ethereal ideal — a kind of mental conceit of the law that begs its subjects to recognize its relevance and splendor even though they can only read it in their imaginations.

A corporation’s governance principles, including those pertaining to cybersecurity, should indeed be documents with words that may be read, not imagined. This is not always the case. However, adherence to internationally recognized governance frameworks such as ISO 27001 should enable organizations to make the choices pertaining to their principles and policies that result in these decisions being documented and available for reference.

There are four categories of written documents that constitute the governance structure of an organization, including with exclusive respect to cybersecurity:

• Policy explicitly states the intent and objective of cybersecurity programs in the organization. To be a stakeholder or employee in this organization, it is mandatory that one must follow policy. Anything not written down is not policy. There is often a person responsible for executing policy, and in many organizations, that person is the CISO, acting under the mandate of the CEO and/or the Board of Directors. Examples of policies enforced by a well-secured organization include, though may not be limited to:
  • A mission statement attested to by the CISO
  • A delegation of authority to individuals responsible for the protection of data and the flow of information
  • Acceptable Use Policy (AUP), which defines the rules for acceptable use of information and systems belonging to the organization
  • A privacy policy articulates the rules for collecting, protecting, and processing personally identifiable information (PII)
  • Information Classification and Handling policy — a phrase burned into the cybersecurity vernacular by the ISO 27001 standard. It’s this standard that establishes a framework for putting forth in writing the roles and responsibilities delegated for managing and overseeing information management and protection, and that identifies the procedures pursuant to the goals of this protection. An organization following the recommendations and guidelines in ISO 27001 may produce this policy for itself as a result. ISO 27001 is not an information classification and handling policy. Rather, it is a blueprint for crafting such a policy.
  • Software Development Lifecycle (SDLC) policy establishes the rules and responsibilities for organizations that produce software, in order that security principles are observed throughout each stage of their SDLC. Each organization may adhere to one or more SDLC models or software process models, such as waterfall, joint application development (JAD), rapid application development (RAD), the “V-model,” the prototype model, and the spiral model. How each organization integrates security into its software development processes, including the roles and responsibilities for each person associated with that process, directly results from the software process model it implements.
  • Security awareness training policy, which outlines the measures to be taken for training new and existing employees and stakeholders in the company’s security methodology and practices, and designates roles responsible for implementing and overseeing training
• Standards within an organization’s governance documents specify the mandatory requirements that must be met in order for a policy to be fulfilled. Separating standards from policies enables a policy to make an objective mission statement that outlasts the lives of the people who first wrote them, while necessary adjustments to the parameters and key performance objectives (KPI) are stated in standards that are subject to change. A standard in governance may include:
  • Configuration settings mandatory or necessary for the introduction of a machine with a particular operating system (e.g., Windows, MacOS) to the company network
  • Implementation requirements for new software adopted by an organization, which may include mandates for recognizing and following open source principles
  • Minimum requirements for the age, version number, or configuration of software and operating systems being implemented within a network
• Procedures are clearly specified instructions enabling individuals to achieve an objective stated in policy. So long as a procedure is written down, following that procedure is mandatory. A procedure may be updated or refined without policy needing to be re-evaluated or re-written. Policy may refer to procedure by name and mandate that said procedure must be followed, although policy should allow for the procedure itself to be specified independently in order to allow for refinement and improvement. Proper governance-oriented procedures may include:
  • Information Classification Procedure, which explicitly specifies how information assets are classified with respect to their business value, legal requirements, criticality, and sensitivity
  • Incident Response Plan (also called “incident management plan”), which specifies the chain of authority and plan of action, and identifies procedures that will be followed, in the event of an incident which threatens the integrity of corporate information. A data breach qualifies as one kind of incident, although so does a hurricane and a terrorist attack. Among the steps outlined in a proper incident response plan are the delegation of roles such as response coordinator and response handler, liaison with law enforcement agencies, and steps that responders must take to preserve evidence and conduct triage.
  • Change management procedure (now covered by control 8.32 in ISO 27002:2022) establishes how an organization changes its incident response posture and its procedures for responding to incidents, whenever measurable changes are made to systems, system infrastructure, and facilities.
• Guidelines inform individuals about the best known, most efficient, most successful, or most reasonable ways in which they may abide by the policies, practices, and standards of the organization. Best practices qualify as guidelines in this context. There is an extremely important distinction that is very frequently lost: Guidelines are not policies. Policies do not (or, perhaps better put, should not) contain guidelines. Guidelines are not mandatory. They are suggestions that are not only subject to change but also interpretation, adaptation, and incremental evolution. Guidelines can always get better. Policies should always be the best they can be. People may adopt better methods for abiding by policies — methods which, if anyone bothers to record them, should be submitted as substitute or replacement guidelines. Not abiding by guidelines does not constitute violation of policy. If something you fail to do makes you violate a policy, it is not because you failed to follow a guideline, but rather that you failed to follow procedure. Guidelines help you achieve the goals of good governance, and if following guidelines makes people violate policy, then it’s not because the policy is bad. Good governance guidelines and best practices may include:
  • CI/CD recommendations for how IT and DevOps personnel may best safeguard the information transfer pipeline, when implementing a continuous integration and continuous delivery program
  • Regular communications with employees and stakeholders, often in the form of newsletters, that articulate the objectives and importance of security measures even in the absence of active incidents
  • Training sessions with employees and stakeholders that not only refresh their understanding of cybersecurity practices within their organizations, but also listens to their ideas and recommendations for improving those practices

LEARN MORE FROM SIMPLERISK

• From Spreadsheets to Simplicity: Annual Policy Attestation Made Easy with SimpleRisk by Alan Proctor, Chief Compliance Officer, SimpleRisk
• Garbage In, Garbage Out: What AI Can (and Can’t) Do for Control Mapping by Josh Sokol, CEO, SimpleRisk

Exceptions and the plan of action

A governance plan must put forth the organization’s present-day security posture at the time of its official publication. That is to say, it’s not a vision about what the proper or ideal posture should be, but a realistic statement about the company’s readiness. Remember, risk is by definition the assumption of uncertainties. Governance needs to be frank about where uncertainties may lie.

For this reason, governance should not hesitate to admit exceptions to policy or procedure when it may lack the capability to meet broader goals and objectives at present. If the application of a control defined in governance cannot meet the same objective for one part of a system as it can for the rest, governance should state what the exception is, along with one or more of the following:

• The level of additional risk the organization should assume so long as the exception remains current
• An exception report that documents the extent to which observed performance for a system or component of a system deviates from expectations or standards
• An exception process — or, in its most complete form, a Plan of Action and Milestones (POA&M) — that documents the steps and procedures the company will take to fulfill the requirement of eliminating the exception, along with an itinerary for that fulfillment.

So what’s a “framework?”

As you’ve seen, the written and documented part of an organization’s governance includes its policies, standards, procedures, and guidelines. Care must be taken to avoid using these terms interchangeably — or, if we’re being honest, to stop repeating the mistakes of others who have used them interchangeably, often including people representing standards bodies themselves.

NIST CSF 2.0

The NIST Cybersecurity Framework (CSF) 2.0 articulates a set of desired outcomes for professionals involved in an organization’s information protection regimen. It describes itself as a framework intended to give an organization a clear picture of what it can aim for and hope to achieve. CSF puts forth best practices and suggested guidelines. CSF is not some mandatory system. It does not describe company policy, or what policy should be. It can help people to define or redefine policy to better articulate a system of procedures and standards to which an organization may more readily adhere. A company that adopts CSF is volunteering to incorporate its principles of visualizing achievable outcomes, and ascertaining its own organizational profile. This is a snapshot of the organization’s capabilities and readiness to respond to cybersecurity incidents and protect information assets.

ISO 27001

One structural step above CSF, ISO 27001 is an international standard. Stated more explicitly, it is a standard for establishing data governance or information governance within an organization. But it is not a standard that is incorporated into an organization’s governance documents.

The ISO 27001 standard establishes a risk-based approach to managing and implementing cybersecurity. In that sense, it provides the raw material for an organization to establish a foundation for its cybersecurity governance principles. It offers a framework for controls (measures, safeguards, and countermeasures) that enable that organization to take proactive measures to avoid incidents. And through a program of certification, ISO 27001 gives an organization a means to attest to the strength of its cybersecurity profile for the benefit of potential business partners, without having to open up its entire network to their inspection.

LEARN MORE FROM SIMPLERISK

• Simplifying the NIST Cybersecurity Framework with SimpleRisk by Josh Sokol, CEO, SimpleRisk
• Using the ISO 27001 Control Framework with SimpleRisk by Josh Sokol, CEO, SimpleRisk

Is governance about compliance?

Ultimately, a company’s governance structure ensures not only that it follows internal policies, standards, and procedures, but also that it complies with the laws of the places where it does business, as well as the industry standards put forth by international bodies and treaties. Governance and compliance are very complementary concepts to one another, yet they are not synonymous, nor is one contained within the other.

• Governance pertains to how a company respects its obligations to itself and its shareholders and customers. It accomplishes this by reflecting how the organization is run and managed, by documenting policy, guidelines, standards, and procedures — along with their exceptions — with the controls and frameworks associated with these elements.
• Compliance pertains to a company’s obligations to the world, the countries in which it does business, and the global economy. It accomplishes this by validating that the governance plan is meeting its objectives and performance indicators, that risk is being addressed and mitigated, and controls, auditing, and testing are all being rigorously applied and managed.

We could shorten this section here with a summary that states a company should comply with all laws, regulations, and statutes in its respective locales. We could make it just slightly longer by saying that adhering to a “culture of compliance” helps establish trust among a company’s stakeholders, and wrap it up by asking you to simply trust us on this point and all will be fine. We could bring things to a close in a hurry by stating that if your company is found not to be in compliance, you and your colleagues could go to jail.

But rather than take the route most traveled, let’s go ahead and put a fine point on this: A compliance regimen brings your company in alignment with the goals and objectives of regulatory and legislative bodies. It isn’t just about adherence to laws, but also about commitment to the higher ideals with which those laws were forged — or at the very least, the ideals we hope or wish were present at the time. Depending upon where your company is founded or headquartered, there may not be strong laws applying to accountability, transparency, or accuracy in financial reporting. Voluntary adherence to international standards demonstrates to your customers, your shareholders, and anyone who might at some point have an interest in trying to exploit some weakness in your organization, that your company is founded upon an overriding principle of respect that prevails even in the absence of a clear and instructive legal framework.

What is governance in the context of risk management and compliance?

In the cybersecurity context, governance, risk, and compliance (GRC) are three sets of principles which, when applied together, constitute the policies and actions an organization takes to maintain its foundational integrity when the handling of information places that organization at risk.

Every business operates by way of a transfer of information. Traditionally that transfer is between people. In modern businesses, systems facilitate the transfer, storage, and transformation of data. Today, data comprises more than just the seed of information, but also the root of currency and monetary value. The integrity of every organization depends on its ability to monitor, marshal, and protect the transfer and handling of information. Cybersecurity is comprised of the processes involved in maintaining that integrity throughout an organization when the transfer of information is facilitated by systems.

GRC, therefore, is the application of human controls, policies, and frameworks to cybersecurity. It’s the means with which human beings deter threats to their organizations’ integrity and well-being. GRC is not software. It’s not a platform, it’s not SaaS, it’s not in the cloud, and there isn’t a license you have to sign for it. It’s what you do for your company, whatever role you may play in that company, to ensure integrity, enhance resilience, and promote due diligence.

The second component of GRC — risk — actually refers to risk management. It is through enterprise risk management (ERM) that an organization enacts the principles that enable it to assume a limited, calculated amount of risk in order to proceed and make progress. All business involves risk. Risk management lets an organization assume the degree of risk it has the willingness and capability to tolerate, and establishes means and methods for avoiding risk that exceeds that level.

Until the advent of GRC, governance and compliance were defined almost interchangeably — in which case, we could have had either “GR” or “RC.” Both are about determining responsibility for maintaining company integrity. Both involve the delegation of obligations. Both mandate maintenance of transparency and auditability in business transactions. The difference lies with the object of the company’s obligations. Compliance is about aligning the organization’s goals with those of the world’s lawmaking bodies and regulatory agencies. Governance is about aligning all of the organization’s goals together with themselves.

The three concepts embodied in GRC are clearly intertwined (even if, in so doing, they fail to produce a cool acronym). Yet each of the activities involved in GRC pertains to a single element. Here are some real-world examples:

• It may be company policy for your organization’s employees’ and stakeholders’ passwords to be rotated after a 90-day maximum interval. Such policy may be enforced by means such as a group policy setting in Windows Server. That’s good governance.
• It may also be policy to apply those new passwords for database access. However, some databases in production only permit service account passwords to be rotated annually. Documenting this exception is also good governance.
• On a quarterly basis, an audit test should reveal the date of the last password rotation. The procedure for implementing the test may be good governance also, but actually performing the test and verifying the policy is being followed is compliance.
• If in the process of performing this test, it’s revealed that a software component other than the database listed in the exception also doesn’t recognize a Windows Server group policy object (GPO), then documenting that component’s failure of that test is also compliance. (Adjusting the specifications so that the failure isn’t recorded is non-compliance, at the very least, and fraud at worst.)
• Inserting a new exception to account for the newly discovered, failing component is good governance.
• Responding to this discovery by assessing and recording a new risk, planning mitigations for that risk, and prioritizing the risk for remediation, is good risk management.

LEARN MORE FROM SIMPLERISK

• 7 Strategies to Mature Your GRC Program by Michael Rasmussen, GRC 20/20
• 8 Simple Ways to Effectively Launch Your GRC Program by Jeff Gall, COO, and Ashley Swoope, Digital Marketing Director, SimpleRisk