Making Infosec Jobs Easier: Governance of Cybersecurity

August 10, 2020 | 7 min read | Cybersecurity Strategy

This is post 7 in our series on making infosec jobs easier and covers threat hunting. You can read the previous 6 posts at one of the links below.

As a CISO, you and your security team have crafted robust cybersecurity policies that define your approach to maintaining and optimizing your enterprise security posture. You have established mechanisms for assessing and reporting on breach risk for your organization, started cybersecurity awareness initiatives, integrated existing tools to maximize ROI, set up cybersecurity project management and implemented zero trust. You know that cybersecurity governance plays an important role in achieving the security objectives of the organization, however once these policies are implemented and distributed throughout the organization, you realize that still, several governance challenges exist.

What is cybersecurity governance?

Cybersecurity Governance is one element of an organization’s broader corporate governance, and is separate from day-to-day cybersecurity operations and management. Governance is a strategic planning function that provides a framework that guides the implementation and execution of cybersecurity strategy.

3 Challenges in cybersecurity governance

#1. Clear definition of cybersecurity strategy and goals is missing

The company’s (including the board of directors’ and senior leadership’s) risk appetite is not clearly understood prior to devising a cybersecurity plan.  As a result, there is a clear gap between cybersecurity and business goals.

Current risk posture must be understood first, to get a clear grasp of your starting point before charting a path to your preferred security state.

Key components of assessing your current state include knowing:

  • The company’s risk appetite
  • Results of threat and vulnerability assessments and risk evaluation
  • Whether mitigations and countermeasures that have been deployed are effective in reducing risk
  • What risks have been mitigated, removed, or accepted
  • Whether you have the resources and expertise needed to reduce risk

#2. Lack of standardized, repeatable processes and accountability

To improve efficiency, ensure consistency, and move away from ad-hoc actions, establishing standardized processes are essential to cybersecurity governance. This also includes harnessing the power of individual risk owners to remediate risk by providing them with the right context and goals.  Using gamification to push down ownership of cyber-risk management to individual risk owners is one tactic.

#3. Dilemma of global vs. local

Companies with extensive operations worldwide must apply a global perspective to cyber governance, while at the same time ensuring that risks at the local, regional level are not overlooked. For a global organization, regional considerations can make enforcing consistent standards a challenge, since operations in different geographies often use different suppliers, policies and redundancy systems. However, it is imperative to establish a centralized global steering committee that provides one view of security and compliance across the global system. At the same time, recognize that governance structures and policies can’t be hardwired and accountability for governance and cyber security needs to be distributed across business owners.

Improving governance of cybersecurity

Balbix can help take the pain out of the job of improving governance of cybersecurity.

  • Understand the effectiveness of your tools in reducing breach risk
  • Consolidate point products currently in use for different parts of the attack surface
  • Invest in integrating tools that may work to improve operations
  • Gain visibility into risk by business segment and asset type and identify types of vulnerabilities that are driving risk to prioritize investments and initiatives
  • Automate key activities like assigning groups to assets, tagging risk owners, and generating tickets
  • Prioritize action items by business criticality and risk to direct precious resources efficiently and stop wasting money and effort towards low impact security issues

Governance made easy with custom dashboards

Developing a cybersecurity governance strategy requires understanding and defining the enterprise’s security posture in the context of the overall environment. And for effective governance of cybersecurity, it is imperative that there is a top-level acknowledgement of the cyber risk, an understanding of the organization’s cyber risk profile, and a commitment to protect the organization in line with that profile.

Balbix enables CISOs and security teams to set up custom dashboards to visualize your security posture and focus on metrics that matter the most to you.

For example, at the CIO/CISO, or even the board level, it is important to get a global view of risk across the organization, including identification of which Business Segments or Locations have the highest risk. The dashboard below is similar to what you might build in Balbix to suit this purpose:

Your governance needs might also necessitate analyzing effectiveness of your existing controls, as well as some exploration of whether new controls would further impact breach risk reduction. For that, you could spend 5 minutes developing a dashboard like this:

The flexibility of the Balbix platform provides unprecedented visibility across the spectrum of jobs involved in cybersecurity governance. But don’t just take my word for it – take Balbix for a test drive!