Light Dark
October 11, 2021 By George Platsis 4 min read
Incident Response
Risk Management
Security Services
Threat Hunting

From governance comes everything else. It would be reasonable if this journey in organizational resilience started with the governance theme. In fact, many important standards or cybersecurity frameworks begin with policy development. For example:

  • NIST SP 800-34: The first step in contingency planning is policy development.
  • NIST Cybersecurity Framework: Part of the first step, Identify, is the need to establish policies that outline roles and responsibilities.
  • ISO 22301 and ISO 27001: Right after understanding your organization, the next section is leadership and policy development.

Why is governance so important to a resilience program? Well, start with this question: what are two requirements for law to apply? Jurisdiction and enforcement. If you have jurisdiction, but no way to enforce it, you have a bunch of paper. If you have enforcement but no jurisdiction, you are running rogue.

A strong, well-thought-out and actionable governance program sets your organizational resilience efforts in line. It gives you boundaries and allows you to manage the program.

Therefore, time to go back to an old favorite from Sydney Finkelstein: why these three questions can solve any problem.

  1. Are you really willing to change what you have been doing?
  2. Can you think of a better strategy or idea than the status quo?
  3. Can you execute on your chosen solution?

Keep these questions in mind as we examine governance and policy development issues. And for all you chief information security officers out there, this is a good time to remember the importance of soft skills, budget impacts and knowing your business. Your success depends on it.

Governance Is Meant to be Difficult

Imagine for a moment you are the information security leader of a large enterprise that has been growing over time, both on its own and through mergers and acquisitions. Throughout this process —as business was on fire — something happened. Your information security management practices went off the rails. The entire process became too big to manage and every business unit was off doing its own thing.

If you are part of a large enterprise, does this scenario sound familiar? It likely does.

Why is that? Well, it comes down to resource management and risk appetite. Both of which likely have been neglected or have changed over time. However, the boundaries and means to manage — think jurisdiction and enforcement — have not.

This is why the first two steps of any cybersecurity organizational resilience roadmap are identifying resources and defining your risk posture and seeing that performing these two steps is not a one-time affair.  Quite the contrary. They are ongoing tasks that will inform your governance and policy update. For example, if you really want to go best practice, any major change in how your business works should trigger an automatic review of your resilience program’s governance and policies.

Centralized or Federated?

The two steps above help get you in the right frame of mind and find your own borders. For example, does your organizational resilience program bleed into your privacy program? It may, and that may not always be a bad thing. Rather, it is a matter of deciding what is right for your case, which is why governance, policy development and enforcement are difficult.

You have to ask yourself hard questions. For example, will you have a centralized resilience program? That means there is a dedicated team that runs the program and will be held accountable by the C-suite if something goes wrong. Or, will the program be federated? In this case, resilience personnel will be embedded within business units. Those units will be held accountable for resilience tasks.

Let us get one thing straight here: there is no right answer. Rather, there is only the right answer for you.

And that is why if you start going down the road of cookie-cutter governance and policy development without making adjustments for your case, everything else downstream — such as your business continuity, disaster recovery, crisis management and testing and training — will be muddy.

That is why, short of a major change in how your group works, your organizational resilience governance should be pretty rigid. These are your guiding principles, your North Star. Conversely, your resilience practices (BC, DR, CM, etc.) can change to adapt with the times.

Developing the Right Model for Your Organization

To get a good sense of whether your organizational resilience governance is in good shape, some self-assessment is required. Ask yourself these questions:

  1. Do you truly understand your risk posture?
  2. Are you able to stress test your program and systems, on a regular basis and often?
  3. Can your program and the systems that go with it meet today’s challenges and tomorrow’s?
  4. Are your teams serious about a resilience or cybersecurity-minded culture?
  5. Are the right resources in place for success?

Go back to the questions about solving any problem. Between these eight questions, you have everything you need to create your governance model. Why? Because, taken together, answers to these questions are the Rosetta Stone to understanding your organization. These questions help you go deep, clearing the muddy waters of who does what, how everybody is working, what is missing and what needs to be done.

Back to the example above: if you have business units with different incident response plans or resilience efforts spread across teams that do not interact with each other, you are walking into a tangled mess after an incident.

What Outcomes Should Governance Seek?

Imagine your organizational resilience program governed in the following way:

  1. The Policy: Gives you purpose, or the why.
  2. The Standard: Gives you context, or the what.
  3. The Procedure: Gives you direction, or the how.
  4. The Guideline: Gives you comfort, or gives you light when you fall into darkness.

With each step, you get more granular in detail, but the top needs to be sound. Otherwise, the entire program will come down crashing in on itself. That is why, within all of the components listed above, you must clearly identify who holds responsibility and accountability for all associated tasks. To tie back to the beginning, this is your jurisdiction and enforcement roadmap. And if you recall from the crisis management team, resilience is most certainly a team game. That’s why knowing your roles and boundaries are critical to success.

In closing, don’t be scared if governance looks like a daunting task. It is, and is often a root of your grief. If you get it totally off the mark, the downstream impacts can be terrible and you can be sure there will be a lot of finger-pointing. But there is a foolproof way to ensure your organizational resilience governance model, and related practices, are working. We’ll examine that in the next piece: testing and training.

 |  |  | 
George Platsis
Senior Director, Educator and Author

More from Incident Response
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

March 6, 2024

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature