IT Security Governance Overview
Summary
TLDRIn this video, Rick discusses IT security governance, linking organizational risks to IT threats. He explains that IT security is about protecting the organization, not just IT, by managing risks through a governance program. Governance ties business risks to technical controls, helping organizations manage threats. Rick covers security frameworks, including risk, program, and control frameworks like NIST, ISO, and PCI, and emphasizes the role of business leadership in risk management decisions. He also touches on the importance of a risk register and outlines how organizations can quantify risks.
Takeaways
- 💡 Governance in IT security links organizational risk to IT risks and threats, focusing on protecting the organization, not just IT systems.
- 📊 IT security controls must align with organizational risks to manage, mitigate, or reduce their impact.
- 🏢 Governance connects business owners and technical teams to ensure that security efforts are in line with business goals and processes.
- 🚨 A significant percentage of small businesses can face severe impacts from security breaches, potentially leading to closure within six months.
- 📋 Governance programs should identify business ownership of data, systems, applications, and infrastructure, ensuring accountability.
- 📚 Various security frameworks, such as NIST, ISO, and PCI, help organizations meet industry or regulatory standards and mature their security practices.
- 💼 Compliance with mandatory security standards is essential for some industries, as non-compliance can lead to fines or the inability to conduct business.
- 🔧 Risk registers are used to track potential IT threats, their likelihood, and their impact on the organization, helping to prioritize security measures.
- 🧑💼 Business leaders, not IT staff, are responsible for accepting risks, as they are ultimately accountable for keeping the organization in business.
- 🔍 Risk management can be either qualitative (subjective impact estimates) or quantitative (calculations based on data), both helping to prioritize security efforts effectively.
Q & A
What is IT governance, according to the video?
-IT governance is a program that links organizational risks to IT risks and threats. It ensures that IT security controls are aligned with business risks and goals, rather than just protecting IT systems themselves.
Why is governance important for organizations?
-Governance is important because it connects the technical controls managed by IT with the business risks managed by organizational leaders. It helps ensure that IT controls support the organization's mission and objectives, and that business leaders are involved in making risk-based decisions.
What is the role of business leadership in IT governance?
-Business leadership is responsible for making risk-based decisions and prioritizing what data, systems, or processes need protection. IT cannot make these decisions on its own; leadership must be actively involved in understanding and determining the level of acceptable risk.
What are some potential impacts of IT security breaches on businesses?
-The impacts of IT security breaches can include loss of intellectual property, theft of money, damage to reputation or customer trust, recovery costs, regulatory fines, and loss of contracts. These impacts can potentially put a business out of operation.
What is a risk register, and how is it used in IT governance?
-A risk register is a tool used to document IT threats that could impact the organization, along with their likelihood and impact. It helps track the implementation of security measures, manage risks, and quantify or qualify the risk levels to guide decisions on whether to accept, mitigate, or transfer those risks.
How can organizations without formal regulations or standards manage their cybersecurity?
-Organizations without formal regulations can adopt universal security frameworks to benchmark their cybersecurity programs. These frameworks, such as those from ISO, NIST, or CIS, provide guidelines to help structure and improve their security posture.
What are the different types of security frameworks mentioned in the video?
-There are four types of security frameworks: risk frameworks (e.g., NIST, ISO), program frameworks (e.g., CIS, COBIT), control frameworks (e.g., NIST, CIS controls), and attack frameworks (e.g., MITRE ATT&CK, Lockheed Martin Kill Chain).
How do qualified and quantified risk assessments differ?
-Qualified risk assessments involve estimating the impact of a risk based on leadership's judgment, often using a scale of 1 to 5. Quantified risk assessments calculate the potential financial impact based on factors like likelihood, data value, and security controls.
What is the importance of compliance with industry regulations or standards in IT governance?
-Compliance with industry regulations or standards, such as PCI for retail or HIPAA for healthcare, is crucial as non-compliance can lead to fines, restricted contracts, or even the inability to conduct business. However, compliance alone does not guarantee security, so organizations must go beyond just meeting regulatory requirements.
What are some challenges organizations face when there is no compliance mandate?
-Without a compliance mandate, organizations can struggle to know where to start with their cybersecurity programs or may have difficulty securing leadership buy-in. This lack of direction makes it challenging to build a structured security strategy.
Outlines
🔐 Introduction to IT Security Governance
Rick introduces himself and outlines the video’s focus on IT security governance. He mentions that the content is based on a blog post written for Mach37, a cybersecurity startup accelerator. He clarifies the concept of governance, humorously distinguishing it from a 'governess.' Governance in IT security refers to linking organizational risks to IT risks and ensuring that technical controls address business-related risks. Rick highlights the importance of aligning IT security with business objectives, illustrating how IT security breaches can have serious consequences such as financial losses, reputation damage, and even causing businesses to fail.
📊 The Importance of Formal Governance Programs
Rick discusses his career experience as a security management consultant and virtual Chief Information Security Officer (CISO), emphasizing the lack of formal governance programs in many organizations. While many organizations may have informal governance processes, these are not sufficient. Governance must link business risks to technical controls and establish ownership of security responsibilities. Rick explains that governance is essential for making business-driven risk-based decisions, ensuring that security measures are aligned with the organization's goals.
📜 Security Standards and Frameworks
Rick explores various security standards and frameworks, noting that while some are mandatory, others serve as guidelines for enhancing security maturity. Compliance with these standards is crucial, as non-compliance poses business risks. He gives examples of specific frameworks such as the NIST cybersecurity framework, FedRAMP for government contractors, ISO 27001, and PCI DSS for retail. He emphasizes that compliance alone does not guarantee security, but not adhering to mandatory standards can result in fines, loss of contracts, or restricted business operations.
🛡️ Challenges for Organizations Without Mandatory Compliance
Rick explains that organizations not bound by mandatory regulatory frameworks, such as some insurance companies and legal firms, often face challenges in managing their cybersecurity programs. Without a compliance framework, it becomes harder for these companies to secure buy-in from leadership or to benchmark their cybersecurity practices. However, universal security frameworks can be useful in such cases to help organizations define and manage their cybersecurity programs effectively.
🗂️ Types of Security Frameworks
Rick introduces the different types of security frameworks, such as risk frameworks, program frameworks, and control frameworks. He explains that frameworks like NIST and ISO can help organizations measure and manage IT risks while also making their security programs measurable and reportable. The risk register is mentioned as a key tool for managing and tracking risks, whether using a simple spreadsheet or a more advanced GRC (Governance, Risk, and Compliance) application.
📈 Qualifying and Quantifying Risk
Rick dives deeper into risk management, explaining the concepts of qualified and quantified risk. Qualifying risk involves business leadership estimating the potential impact of losing certain data, while quantifying risk uses calculations to determine the financial impact based on the likelihood of data being compromised. Rick notes that organizations can prioritize protections based on the risks with the most significant potential impact, and he refers to methodologies from the FAIR Institute and CIS for developing these models.
🏢 The Role of Business Leadership in IT Governance
Rick stresses the critical importance of business leadership in IT governance. Leaders must understand their role in making risk-based decisions and cannot leave security entirely to IT teams. A successful security program requires cooperation between IT and business leaders to link IT security risks with business objectives. Rick highlights the need for leaders to define what data or systems are critical and what level of risk is acceptable. He refers to an earlier video discussing strategies for gaining leadership buy-in and communicating in business terms rather than technical jargon.
🎬 Conclusion: The Essentials of IT Governance
Rick concludes the video with a recap of the key points about IT governance, including its role in linking business and technical risks, the importance of formal governance programs, and the need for business leadership involvement. He encourages viewers to ask questions in the comments and invites them to like and subscribe for future videos. Rick also hints at creating more detailed videos on specific frameworks and risk management topics if there is interest from viewers.
Mindmap
Keywords
💡IT Security Governance
💡Risk Management
💡Compliance
💡Business Impact
💡Risk Framework
💡Control Framework
💡Risk Register
💡Quantified Risk
💡Business Ownership
💡Framework Hierarchy
Highlights
IT governance links organizational risk to IT risks and threats, emphasizing the protection of the business, not just IT systems.
No IT security control should be implemented without tying it to an organizational risk it helps manage or mitigate.
60% of small companies that suffer a data breach may go out of business within six months due to financial or reputational impact.
Significant impacts of cybersecurity breaches include intellectual property loss, financial theft, and reputational damage.
Many IT security organizations lack a formal governance program, even though informal governance may exist through compliance requirements or business owner input.
Governance establishes clear ownership, assigning business owners responsibility for data, systems, and applications, not technical staff.
Security frameworks help organizations create formal governance. There are risk frameworks, program frameworks, and control frameworks.
Being compliant with industry regulations like PCI, NIST, or ISO doesn’t necessarily equate to being secure but helps manage risks.
Some industries, such as insurance or legal, may not have strict compliance regulations, creating a challenge for governance.
Risk frameworks define, measure, and manage IT risks, while program frameworks align the risk program with business goals.
A risk register helps organizations track IT threats, their likelihood, and their potential impact, providing clarity on mitigation strategies.
Risk levels can be quantified (using data models) or qualified (based on business leadership's estimation of impact).
Businesses need to define acceptable risk levels and create exception processes when those levels are exceeded.
Cybersecurity risk decisions should be made by business leaders, not IT teams, as these decisions impact business survival.
Leadership buy-in is essential for successful governance, as leaders must understand their role in making risk decisions and protecting the organization.
Transcripts
hi everybody my name is rick and today
i'm going to talk about it security
governance this video is somewhat based
on a blog post i wrote recently for
mach37 they're a cybersecurity startup
accelerator i put a link to that blog
post in the description below in case
you want to have a written account of
the topic for this talk and to clarify
governance does not refer to the role of
a jane austen era woman who was hired to
watch your kids
that's a different thing did that joke
land very well anyway governance is the
name of a program that links
organizational risk to i.t risks and
threats because i.t security is not
about protecting i.t it's about
protecting the organization or business
or mission no i treat control should be
implemented without being able to tie
back to an organizational risk that it's
helping to manage mitigate or reduce its
impact governance is the link between
the humans who manage the technical
controls and the business owners who
process data systems or applications to
align their requirements every
enterprise has a goal to stay in
business and there are numerous examples
in the news every week that prove that
that i.t security breaches or incident
can threaten that goal there was
actually a new story i'll put it over
here about five years ago posing that 60
of small companies who suffer a breach
go out of business within six months
well i think this might be a bit
exaggerated there are significant and
unexpected impacts resulting from an
organization being hacked you know such
as loss of intellectual property theft
of money reduction of reputation or
customer trust cost to recover business
after an incident cost of regulatory
fines or loss of contracts and other
things these impacts therefore could
easily put an organization out of
business i spent much of my career going
back and forth between a security
management consultant and a ciso my
previous position for almost five years
was a virtual ciso for a number of
organizations in different industries
and different parts of the world what i
found repeatedly was the one thing that
most immature i.t security organizations
lack is a formal governance program
every organization actually has some
level of a governance risk and
compliance program though it might not
be formal it could be just needing to
meet the industry or customer security
requirements you know based on a
contract or it's the business owner just
saying this information or platform or
application or business process is
important to the business and it must be
protected or must always stay on so but
having an informal strategy you'll see
is is not enough as well as linking the
business risks to technical controls
governance also establishes ownership
i've said many times before that
technical people don't make business
decisions and risk-based decisions are
business decisions identifying business
ownership for data systems applications
and even infrastructure is foundational
governance is best when it's based on a
framework
there are several security standards out
there some are mandatory requirements
for organizations in certain industries
while others are optional a set of
guidelines that can build or show
leading practices for security maturity
many organizations have some industry
regulation that they need to meet so
being compliant to one or more of those
regulations or standards doesn't
necessarily make you secure not being
compliant is amanda to these mandatory
standards is a business risk
how big that impact is depends on the
organization in the industry
non-compliance could just be a fine it
could be restricted from working on
specific types of contract or in the
case of retail not being able to accept
specific payment types like credit cards
so other examples include for instance
if you work for a us government
contractor not meeting the nist cyber
security framework or fedramp could
impact your ability to support
government contract if your service
provider having an iso 27001
certification or sock 2 might help with
third party assessments by customers or
might be a requirement to bid on a
specific contract
and as i said being pci compliant is
mandatory for retail for anyone who
takes credit cards otherwise business
might be a subject to fines or b
prevented from taking credit cards which
could be a business impact
there are a small percentage of
organizations that don't have a for that
aren't formally subject to any
regulations industry standards or other
frameworks so like insurance companies
manufacturing companies business to
business retail or legal firms you know
may not have like some you know industry
standard that they have to meet like you
know financial and health care do
but they face a different challenge of
managing their cyber security program
ironically because they struggle with
where to start or being able to have
buy-in from leadership because there is
no like compliance they have to meet so
what do we base our program on so they
need to benchmark something to describe
their customers and third-party partners
and this is where one of the more
universities security universal security
frameworks can come into play
so getting back to the frameworks there
are four types there's risk frameworks
program frameworks and and nist and iso
both are risk and program frameworks in
their library control frameworks uh cis
controls in my previous videos as well
as nist are two other examples and
attack frameworks like the mitre attack
framework and the lockheed martin kill
chain so these frameworks can be from
either regulatory sources you know like
you know hipaa for healthcare nerc for
energy companies glba for finance they
could be from standards bodies like you
know iso cobit and cis or industry
verticals like you know pci for retail
or educause for higher education i will
dig into the details of these frameworks
in video
that is a whole other video so but let
me know if you're interested in it and
i'll put one together i will say that
these frameworks are hierarchical you
would use a risk framework to define
measure and manage rit risk and a
program framework to map your it risk
program to make it measurable and
reportable and then finally leverage a
control framework to for how to apply
controls to meet these requirements the
tool most likely used for managing all
of this scale technical and risk
governance and risk mapping is a risk
register basically a risk register is a
list of what i.t threats could impact
the organization and include their
likelihood and impact and i'll put that
over here
as an example of a risk register this
way you can define whether to accept
mitigate or transfer the risk track
implementation of remediation or go
deeper into comparing mitigated versus
unmitigated risks and impact
this could be a spreadsheet like we say
here or a full-blown expensive grc
application that lists tracks measures
risks based on categories and severity
tracks what controls are in place to
manage those risks and what extent the
risk is managed or to an appropriate
level this risk levels can be quantified
or qualified and i'll talk about those
later and you should have a policy that
defines what that acceptable risk level
is and an exception process if the
business chooses to accept that risk and
only the business can it choose to
accept it not the i.t people so when i
say qualified that means that there's an
estimate of impact uh defined by the
business leadership they may say like it
would be really bad if we lost this data
or on the other end it could be eh it'd
be inconvenient but it really impact the
in business if we lost that data
oftentimes these are noted as an impact
range from like one to five from least
to most impactful the term quantified
refers to using a calculation to
determine two percent of likelihood and
impact and based on business data
calculate the dollar value to that
impact it takes account for the value of
the data the maturity and
comprehensiveness of security controls
protecting that data and and other
factors quantified risk would be
something like you have a 50 likelihood
of that data will be compromised which
would be a 15 million dollar impact
and there are guides lines for for
developing and creating these models
from the fair institute and from the cis
risk assessment methodology
so they have good details of like how
you would actually do these and run
these models and describe that
but no matter which approach the goal is
to prioritize protections and detections
that would draw down the organization's
risk based on the threat or incident
that would be most impactful if you
don't already have a risk framework or
don't know where to start i listed 10
questions to define basic governance in
the blog post i mentioned earlier and
i'll put those questions in the
description below but i won't go in
through them now that again will be a
future video the final discussion around
governance is about business leadership
buy-in the leadership must understand
their role in i.t governance they can't
just let the i.t security leader define
what's important to protect and what
level of risk they're willing to accept
and what level of controls need to be
implemented to meet that risk well they
may have a part in this last one
but this understanding of business
leadership roles was critical to a
successful security program and this is
that linkage that i mentioned before
that i saw missing all the time when i
was a virtual ciso business leaders are
the ones responsible to keep the
organization in business so they make
the risk decisions it takes cooperation
to understand the best way to link the
i.t security and the business risk i
have a video that talks about
how to be more effective to get buy-in
with senior leadership leadership and
i'll put that thumbnail here uh and that
talks about you know how to talk to
leaders in their language we can't talk
technical and i'll like i said i'll put
a link to that in the description below
as well
so that's it for now i just wanted to
give a quick overview of governance with
some explanation of what it is and how
it's implemented please feel free to ask
me any questions in the comments below
and if you found this useful please like
and subscribe to catch my future videos
have a great day
5.0 / 5 (0 votes)