Security governance: an asset in countering cyberthreats
No company is safe from a cyberattack or IT disaster that could jeopardize its operations. To protect themselves, many businesses are turning toward preventive and protective tools, tactics and strategies. “While these tools are useful, much of their effectiveness can be lost if they are not part of an overall vision for the entire organization,” noted Sylvain Viau, President of International Innovations and Services (IIS), which works with national and international clients.
A retired Canadian Armed Forces Lieutenant-Colonel, Viau regularly meets with executives anxious to better protect their businesses, and helps them set up security governance to meet their specific needs.
Governance refers to a set of factors that influence the decision-making process. In business, the expression refers primarily to the power dynamics between a company’s administrators and its executive leaders. This use of the term “governance” reflects one crucial reality: the drive to safeguard a company's activities and assets must start at the top, and then influence the behaviour of every employee.
In fact, the behaviour of the people within the company is the first of five key aspects of security governance: people, processes, technology, infrastructure, and partnerships.
First and foremost, an organization’s security depends on its leaders and employees.
With regard to leaders, “senior leaders must be accountable for security, as it is the corporation’s responsibility,” Sylvain Viau explained. “Today, a company’s administrators and/or owners should be concerned about the challenges surrounding security.”
His expert recommendation is that organizations follow the example set by a growing number of corporations by creating a position on their executive team that focuses on security – such as Chief Security Officer. “It’s the best way to gain an accurate overview and ensure guidelines are applied across the entire organization,” Viau said.
If the company’s size or activities don’t warrant creating such a position, Viau suggests conferring security responsibilities to the Chief Financial Officer rather than the Head of IT.
With regard to employees, supervision can be broken down into three distinct periods.
- Prior to hire, a background check must instill confidence in an employee’s integrity.
- While employed, the company should monitor employee activity to detect accidental or malicious behaviour that could cause security risks.
- After an employee leaves the company, the company should revoke all access privileges and ensure no confidential data has been taken. It can also conduct a review and tweak its internal security practices if required.
A lack of coordination and collaboration between internal teams is a major hindrance to the everyday effectiveness of corporate security measures. Éric, a former security advisor for an IT firm (whose name has been changed for confidentiality purposes), has seen this firsthand.
“Each department had its own cybersecurity practices, which were not coordinated throughout the organization,” he stated. “This disparity could have exposed the company to certain threats. Had an incident occurred, the company would undoubtedly have taken longer to react.”
Security governance can transform this risk into a self-defence mechanism, turning each employee into a security guard for the company. To do so, the organization must provide staff with education and training on security guidelines.
Processes refers to all security practices which good governance defines and implements within an organization. In a way, these processes represent the essence of governance itself.
“At a high level, the very first process to put in place is…. establishing security governance!” Sylvain Viau noted.
The scope and rigour of these processes can vary based on the type of business and its business environment. For example, a bank is required to follow more stringent security processes than a small retailer.
Once determined, these processes allow performance indicators to be defined. By following these indicators, the organization can validate whether its employees and partners are properly applying its security processes.
Within a security governance framework, technology is a tool made available to people for the purpose of applying processes. “The company must use technological tools to cover the security functions it considers important,” Sylvain Viau explained.
He lists no fewer than 66 distinct functions, citing authentication of access to infrastructures, management of users’ access to networks and data, and managing changes to security parameters as three examples of security functions which could be performed by such tools.
This may include the physical infrastructure as well as public services which support the company and contribute to its overall security: buildings, public works, power and water supply, police and firefighting services, accessible telecommunication networks, available hosting services, and more.
These infrastructures form a significant component of the environment in which a company operates, and partially dictate the contents of its security governance.
“If existing infrastructures cannot ensure adequate security levels, some organizations will insist on hosting all the data they use on their own servers, and creating private network connections between company branches,” Sylvain Viau noted.
Consultants, service providers, sister companies, and other partners may have access to some organizational data and applications. Some may even be able to make changes; for example, a marketing agency may be asked to manage client and prospect lists on the company’s behalf. “What security rules does this supplier apply when handling data?” Viau asked. “Every partner must report to the company, so it can understand what data has been manipulated and whether this data has been involved in any security incidents.”
People, processes, technology, infrastructure, and partnerships: five elements which a company’s security governance must take into account. “Think of governance like a chocolate cake,” Sylvain Viau suggested. “By mixing the right ingredients in the correct proportions and following the proper sequence, a baker can create the cake he wants.” Similarly, security governance consistently and proactively assembles all components that enable a company to effectively protect itself.
Read the next article in our "Security, a corporate challenge" series: Classification: the first step in securing your data