Cybersecurity governance: A path to cyber maturity

What does cybersecurity governance mean and why is it important?

Cybersecurity governance refers to the component of governance that addresses an organization's dependence on cyberspace in the presence of adversaries. The ISO/IEC 27001 standard defines cybersecurity governance as the following:

The system by which an organization directs and controls security governance, specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks.

Traditionally, cybersecurity is viewed through the lens of a technical or operational issue to be handled in the technology space. Cybersecurity planning needs to fully transition from a back-office operational function to its own area aligned with law, privacy and enterprise risk. The CISO should have a seat at the table alongside the CIO, COO, CFO and CEO. This helps the C-suite understand cybersecurity as an enterprise-wide risk management issue -- along with the legal implications of cyber-risks -- and not solely a technology issue.

The C-suite can then set the appropriate tone for the organization, which is the cornerstone of any good governance program. Establishing the right tone at the top is much more than a compliance exercise. It ensures everyone is working according to plan, as a team, to deliver business activities and ensure the protection of assets within the context of a risk management program and security strategy.

Historically, cybersecurity was managed by implementing a solution to solve a problem or mitigate a risk. Many cybersecurity departments have technical security safeguards, such as firewalls or intrusion detection, but often lack basic cybersecurity governance policies, best practices and processes. Where they do exist, policies or processes are often outdated or ignored.

Many cybersecurity departments also have poor or inadequate cybersecurity awareness training programs that fail to address all levels of an organization. As we have learned from recent breaches, many organizations have inadequate hardening and patching programs. Poor access control practices, such as uncontrolled group passwords, shared accounts, proliferated admin privileges, shared root access and the absence of an authorization process except at a low operational level, also are problematic.

6 steps organizations should follow for their cybersecurity governance program

Here are six steps that can help an organization grow and sharpen its cybersecurity governance program:

1. Establish the current state.
   • Complete a cyber-risk assessment to understand the gaps, and create a roadmap to close those gaps.
   • Complete a maturity assessment.
2. Create, review and update all cybersecurity standards, policies and processes.
   • Many describe this as low-hanging fruit -- and it is -- but it is a heavy lift. Take the time needed to establish the structure and expectations of cybersecurity governance.
3. Approach cybersecurity from an enterprise lens.
   • Understand what data needs to be protected.
   • How are the cyber-risks aligned with enterprise risk management?
   • What is the relative priority of cybersecurity investment as compared with other types of investments?
4. Increase cybersecurity awareness and training.
   • With the rise in remote work driven by COVID-19 and the ongoing adoption of hybrid work models, we are no longer just training our internal employees. With so many people working from home and many children attending school online, it is critical that the entire family understands good cyber hygiene.
5. Cyber-risk analytics: How are threats modeled and risks contextualized and assessed?
   • When creating the risk model, consider all the risks to your organization -- external, internal and third party.
6. Monitor, measure, analyze, report and improve.
   • This is not a one-and-done exercise. Establish regular assessment intervals, measure what matters, analyze the data and create an improvement plan.
   • Report to the board on cyber maturity and the cyber-risk posture across the organization.

Security roles and responsibilities cross organizational boundaries

Leadership matters: Set the tone at the top that makes cybersecurity -- and cybersecurity governance -- a priority. But remember that leadership is not everything. Policies, standards and processes align cybersecurity governance with cybersecurity priorities so that cyber safeguards remain strong when leaders and employees change.

Finally, cybersecurity cannot work in a vacuum. The distributed nature of cyber-risks requires that mitigation efforts connect across the entire organization. Engage everyone.

About the author
Pamela (Pam) Nigro, CRMA, CISA, CGEIT, CRISC, CDPSE currently serves as the board chair for ISACA. Presently, Nigro is vice president of security and security officer at Medecision, where she is responsible for all cybersecurity efforts that secure and protect information important to Medecision and its customers, while ensuring the overall cyber resiliency of the company. She is an experienced board member, recognized thought leader and subject matter expert. Nigro is also an adjunct professor at Lewis University in Illinois, where she teaches graduate-level courses on health information security, healthcare data security, privacy, confidentiality, healthcare informatics, ethics, risk, IT governance and compliance, and management of information systems in the MSIS and MBA programs. She has more than 25 years of experience in the healthcare industry and the IT industry and holds numerous IT certifications. Nigro achieved her MBA from Illinois Institute of Technology. She also achieved her "Distinguished Toastmaster" from Toastmasters International. She is an industry and keynote speaker and contributor to industry articles and journals, as well as industry certification review manuals and training materials.