Cyber Security Governance

S V Rajaganapathy

S V Rajaganapathy

CRO

5 minute read

Cyber Security governance involves:

  • Information Security Strategic Planning.
  • Information Security Roadmap Development.
  • Information Security Resource Planning
  • Establishment of Information Security Policies, Standards, Processes and Procedures.
  • Information Security Training, Education and Awareness.

Importance of the Framework to an organization.

Cyber threats are penetrating organizations from every corner. Be it from the endpoints used by the employees, tools and applications used to manage IT infrastructure or business operations or interconnectivity between different components spread across cloud landscapes, there are risks everywhere. Majority of these risk factors are related to the people who operate, manage or even simply use any of the organizational services or assets. This makes a well-defined cyber security framework essential in every organization, and most enterprises are putting out serious efforts to establish one for their IT and business ecosystem.

This increased focus on cyber security can mainly be attributed to the technological transformation we are going through with the emergence of Cloud Computing, Analytics, Mobile and Social (CAMS) as a mainstream focus. It is also creating a pressing need for some formal guidance and well-defined regulations, which can help organizations drive their cyber security defense programs more effectively.

The Cyber Security Framework

A cyber security framework contains a whole set of management tools, a comprehensive risk management approach and more importantly, a security awareness program covering everyone in the organization from top to bottom. In other words, every organization needs to have a complete cyber security governance framework to fully address all of their cyber security posture and are therefore crucial for long term success.

These components are:

  • Organizational structure
  • Work Culture
  • Security Awareness Programs
  • Cyber Security Governance.

Each of these aspects works with the others to cover gaps in security. While focusing on one specific area of need can make a difference, the most effective initiatives will use all four of these components to protect the enterprise.

Organizational Structure

How the organization is structured, and how that drives security-related initiatives, plays an important role in defining and shaping its security posture. A well-defined security and compliance chain of management within the organizational structure is one of the key components of this framework. It not only ensures the management is better suited to contribute to security issues but also shows how focused the organization is on the cause.

Work Culture

What is the work culture inside the organization? This may include how teams look at information security and how they respond to organizational changes, which are coming at a fast pace. These are vital to the formation of the cyber security culture. Traditional ways of working and interactions with various stakeholders within or outside the organization need to be adjusted as per the changing landscape.

Security Awareness

If employees don’t know what is right and what is wrong when it comes to security, then the chances of their falling into undesirable traps are much higher. Besides the traditional approach of setting up security compliance-related policies, organizations need to objectively focus on awareness and education programs. Businesses need to have a policy to demonstrate their commitment to, and the seriousness of, making their workforce aware of the ecosystem in which they operate.

Cyber Security Governance.

Governance plays an extremely important role in achieving the security objective of the organization not only for current needs but also to ensure well-drafted mitigation plans for future challenges. To address current issues, the governance framework covers improvements to security policies; the implementation of technical controls; audits and assessments; and driving awareness among people to shape their attitude toward secure behavior. For further challenges, the governance framework must continually focus on emerging threat factors, fast moving changes in the technological landscape, people’s views and behavior and -perhaps most importantly- the work culture transformations being pushed by CAMS.

Implementing a Cyber Security Framework

a. Cyber Security Strategy

Getting cyber secure should be based on a risk assessment and should address the key cyber security domains: people, process, technology and compliance.

b. Risk Management

Cyber security risk assessments are the starting point for a cyber security strategy.

c. Enterprise and Security Architecture.

Deploying enterprise architecture frameworks to design Banks’ IT and Security infrastructures so that they are aligned with and support their business architecture.

d. Identifying and classifying risks

A cyber security governance framework contains a set of management tools, a comprehensive risk management approach and, more importantly, an organization-wide security awareness program. This framework should weave into your organization’s key systems and processes from end to end.

Identifying and classifying risks in a cyber-risk register will help you recognize potential risks, determine the costs for those risks, and provide answers to what you can do to help prevent them before they happen.

With the risk register in hand, begin by assessing the tactical plans developed by senior management and determine a suitable budget for cyber security.

An important consideration when determining budget allocation is the return on investment; not all assets are worthy of the same level of funding, just as some risks are more urgent than others. The protection of your critical assets should receive more weight in the proposed budget.

The critical assets, may include any or all of the following:

  • Hardware / Software
  • Customer data like financial records, User Credentials, email addresses etc.
  • Sensitive contracts with customers, suppliers, distributors, partners etc.
  • Employee log-in credentials
  • Business Strategies / Plans
  • New Products or services in development
  • List of customers, employees or contractors

e. Security Audit, Intrusion Testing.

Cyber security services include auditing for the existence and effectiveness of cyber security controls. These audits are usually carried out against audit frameworks.

f. Regulation and Certification Controls.

Regulatory compliance is a key aspect of effective cyber governance. Regulators are paying more attention to cyber breaches, and fines are increasingly onerous. Reputational damage from regulatory breaches can also be significant.

g. Recovery & Continuity Plans

Cyber resilience is a crucial underlying cyber security philosophy. Sooner or later any cyber defense will be breached. Organizations need to develop cyber resilience, a continuum of tested processes that enable it to respond appropriately to incidents of all sizes, including those which escalate and threaten the survival of the organization itself.

h. Cyber Security Skills

Cyber Security is an increasingly complex area. Organizations need either to employ staff who have adequate skills and knowledge or, recognizing that there is a global shortage of such skills, ensure that security staff acquire and maintain appropriate skills.

IT/Cyber Risk Management

What is Cyber Risk?

‘Cyber risk’ means any risk of financial loss, disruption or damage to the reputation of any organization from some sort of failure of its information technology systems.

While cyber security risks evolve and regulatory requirements continue to expand, the approach organizations employ to manage them has not kept pace. The traditional information security module-one that is based on controls and compliance, is perimeter-oriented, and aims to secure the back office-does not address today’s cyber realities.

Organizations should know how their current information security programs fall short of leading industry frameworks such as ISO 27001:2022 and the NIST Cyber Security Framework. Truly effective cyber security will require that Organizations are able to capably and quickly identify, mitigate and manage cyber risks.

In addition, asset managers should identify cyber business risks by thoroughly scanning and analyzing all known and relevant risk factors, including those that may not be likely to occur. These risks should provide a starting point for establishing an effective cyber risk management framework.

10%