19 December 2020

ITC: Managing Risk for Security Governance...

 In our converging world of both Information and Physical Security, there are resilient risk elements for the effective management of Information Technology & Communications (ITC).

Think of it as “Security Governance”.

Security Governance is a discipline, that all of us need to revisit and rededicate ourselves towards. The policies and codes we stand by to protect our critical assets, should not be compromised for any reasons. More importantly, security governance frameworks, must make sure that the management of a business or government entity be held accountable for their respective performance.

The stakeholders must be able to intervene in the operations of management, when these security ethics or policies are violated. Security Governance is the way that corporations or governments are directed and controlled. A significant element that is now being mandated by the Board of Directors, is the role of “Continuous Risk Management” in Security Governance.

ITC Security Governance, like Corporate Governance requires the oversight of key individuals on the Board of Directors. In the public sector, the board of directors may come from a coalition of people from the Executive, Judicial or Legislative branches.

The fundamental responsibility of management, whether in government or the corporate enterprise, is to continuously protect the assets of the organization or entity. Risk and the enterprise are inseparable. Therefore, you need a robust management system approach to continuous Security Governance, not just an annual audit.

If a corporation is to continue to survive and prosper, it must take security risks. A nation is no different. However, when the management systems do not have the correct controls in place to continuously monitor and audit enterprise security risk management, then we are exposing precious assets to the threat actors that seek to undermine, damage or destroy our livelihood.

An organization’s top management must Identify, Assess, Decide, Implement, Audit and Supervise their strategic risks. There shall be a strategic policy at the board level to focus on managing risk for security governance.

The security governance policy should mirror the deeply felt emotions of the organization or nation, to its shareholders and citizens. It should be a positive and trusting culture, capable of making certain that strategic adverse risks are identified, removed, minimized, controlled or transferred.

An enterprise is subject to a category of risk that can’t be foreseen with any degree of certainty. These risks are based upon events that “Might Happen”, but haven’t been considered by the organization. Stakeholders can’t be expected to be told about these risks because there is not enough information to validate or invalidate them.

However, what the stakeholders can demand, is a management system for continuous Security Governance that is comprehensive, proactive and relevant. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes, and growing resources.

It is this Security Governance management system that which we all should be concerned and which we seek from our executives, board members and oversight committees to provide. There should be a top management strategic policy to focus on managing risk for continuous security governance.

This risk management system should establish the foundation for ensuring that all strategic risks are identified and effectively managed. The policy should reflect the characteristics of the organization, enterprise or entity; it’s location, assets and purpose. The policy should:

1. Include a framework for governance and objectives
2. Take into account the legal, regulatory and contractual obligations
3. Establish the context for maintenance of the management system
4. Establish the criteria against what risk will be evaluated and risk assessment will   be defined

A process should be established for risk assessment that takes into consideration:

  • Impact, should the risk event be realized
  • Exposure to the risk on a spectrum from rare to continuous
  • Probability based upon the current state of management controls in place

The strategic security risks that the organization encounters will be dynamic. The management system is the mechanism by which the executives identify and assess these risks and the strategy for dealing with them. It is this system which we are concerned about and which we seek to provide in order to achieve our Security Governance.

ITC Security Governance best practices are still rapidly growing and taps the thinking of various standards organizations including OECD, BSI, NIST, ISSA, BSA, ITAA, ASIS and dozens of other bodies of influence and knowledge. However, no matter what best practices an organization attempts to standardize on, beware of the attitudes of the employees and stakeholders.

Unless these stakeholders fully acknowledge what and why, they are being asked to do things, rather than just following the rulebook, the system will fail.

The organization that embraces change and introduces a Security Governance framework that not only manages the foreseen human risks, but also the unforeseen, will have a greater chance of survival.

The role of culture in the risk for security governance, is paramount for several reasons:

1. Any changes in risk management may require changes in the culture
2. The current culture is a dramatic influence on current and future security initiatives

Internal controls can provide reasonable assurance that an organization will meet its intended goals. At the same time, it is the people (Human Factors) who will fail the company in material errors, losses, fraud and breaches of laws and regulations.

This is why the risks the organization is facing are constantly changing and therefore why a management system for continuous security governance is necessary. The management system is there to provide resiliency to the risks it encounters and to control risk accordingly rather than eliminate it forever.

The board of directors will soon realize that managing risk for ITC Security Governance, is just as important to the success and compliance of the organization as Section 404 of Sarbanes-Oxley.

In fact, without effective ITC Security Governance in place, all of the rules won’t matter and the stakeholders will again be asking themselves after a major technology failure or privacy data or intellectual property breach; how could this happen to us?