If you haven’t been breached yet, you either will be or you don’t know it’s already happened.
Organizations that suffer from data and information security breaches find themselves looking for answers to why they were targeted and how they could’ve prevented it. The answer is often that their information security governance (ISG) program wasn’t in place and operating as well as it could’ve been. Otherwise, it likely would have significantly reduced the possibility and severity of the breach.
If you’re unsure of what ISG is, you’re not alone. It’s a relatively overlooked cybersecurity measure that’s slowly gaining traction in the IT community. With the threat of an expensive breach more likely than ever, now is a good time to determine how to implement an ISG program for your company.
Understanding Information Security Governance
According to the Information Systems Audit and Control Association, "information security governance is a subset of enterprise governance that provides strategic direction, ensures that objectives are achieved, manages risks appropriately, uses organizational resources responsibly, and monitors the success or failure of the enterprise security program.”
Put more simply, ISG represents a shift from a tactical and reactive response that focuses on security patches and near misses to a strategic focus on the entire IT security program that helps companies prepare for any possible risks, breaches, or goals. It takes an inclusive view of people, processes, and technology and uses risk as the basis for continual improvement of a company’s information security program.
A company that understands its changing risk landscape and the posture of its environment can more easily establish a governance model that works in harmony with the other facets of its business. This model then becomes an important component of any company’s IT risk management strategy—serving as a continuous security program, rather than a one-time assessment, project, or fix.
Changing the Way Companies Do Business
Organizations are constantly changing. As a company evolves to meet everything from changing market conditions to regulatory and compliance concerns, its business objectives change too. The most important information security issue during this evolution is management’s ability to identify, assess, and reduce risk and adapt its security program accordingly. This ability often determines the success or failure of an enterprise.
An ISG program changes the way a company does business. While IT facilitates the business objectives of an organization through the use of technology, an ISG program helps ensure those business objectives are met with minimal risk by giving management the tools to be able to respond.
The implementation of a strong, active ISG program doesn’t mean a company will never be breached. Instead, it means that when an attack comes, a company has people, processes, and technologies in place to:
- Detect the threat
- Contain the threat
- Stop the threat or limit its impact
Minimizing Risk Against Evolving Cyberthreats
Gone are the days of a single point of attack where one vulnerability is exposed and a patch—or reactive repair—is applied. Now, a company’s ISG model, which includes information security operations, must be prepared to defend against increasingly complex, coordinated threats that include:
- One or more diversions
- Multiple attack vectors
- Knowledge of internal processes and procedures
In responding to these multifaceted threats, the role of ISG is to prepare an organization for the moment of attack well before it occurs. ISG requires an organization to continually look at its critical IT and business functions to ensure a working knowledge of potential exposure to cyberthreats. It also helps identify critical functions for risk reduction or mitigation, such as:
- Threat and vulnerability analysis
- Patch management
- Intrusion detection
- Security incident and event monitoring
- Incident response planning
Working with a Framework
ISG isn’t a framework; it’s a stratified governance structure that helps companies create a security roadmap and implement it through deployment and operations. Typically, ISG works in conjunction with a company’s existing IT security frameworks, such as:
- NIST Cybersecurity Framework
- ISO 27001
- COSO Internal Control Framework
- HITRUST CSF
To achieve effective ISG, management must establish and maintain a model with the understanding that there isn’t one path to a successful program or static, desired end state. The development and maintenance of a comprehensive information security program relies heavily on standardized frameworks to provide a recognizable structure.
As more organizations begin to focus on ISG, information security will begin to become part of company culture, forging cooperation with:
- Enterprise risk organizations
- Internal audit
For many organizations, the hardest part of ISG implementation is the required change in thinking and focus. Companies have to shift from a tactical, reactive approach to one that is strategic and risk-based and drives implementation and operations.
There’s a persistent belief that information security is solely the implementation of tactical-point security products—such as firewalls or intrusion detection systems—that make companies feel secure. However, ISG, through a cycle of risk reduction, helps organizations take a more holistic view in determining if and where these tactical-point solutions should be used.
Because of this, companies without an ISG program in place should consider implementing one. Many businesses already have key pieces in place, so they won’t need to start from scratch. Often, companies only need to solicit outside guidance to establish the foundation of an ISG program or address projects outside their core capabilities.
An ISG program encompasses four key components:
- Strategy. Align information security with business objectives.
- Implementation. Identify who’ll be responsible for the program.
- Operation. Develop and deploy projects that align with the overall strategy.
- Monitoring. Measure the risk posture or universe of the organization.
Luckily, all of this doesn’t have to be accomplished overnight. The continuous improvement and constant monitoring processes can’t begin until organizations have achieved a measure of program maturity. By the time this occurs, a risk-based culture will likely be in place, giving an organization the necessary tools to prepare for most situations and respond based on identified risks.
With the increase of e-commerce, data storage, technological regulation and advances, and internet and cloud-based applications, we live in a world where there’s no longer a visible perimeter. This means a company must focus on the implementation of a vigorous ISG model that continually drives and enhances its overall cybersecurity framework. The risks—and opportunities—are there; you just have to be prepared.
We're Here to Help
If you’d like to learn more about how an ISG program could benefit your organization, contact your Moss Adams professional.