The management of cyber risks is now being taken to the highest level of the company, in the form of a Cyber Risk Management Committee. governance for information systems security. Its role is to steer and organise information security, while involving the business units. Stéphane Garreau, an expert in cybersecurity and information systems management, explains the concept of information security governance.
Cyber risk is currently considered to be one of the main risks threatening businesses, which are therefore putting in place specific measures designed to manage their information security policies more effectively. These measures are formalised within a specific governance structure. From an operational point of view, governance is led by the CISO, who is responsible for information security within the company, but it must also involve all the company's business lines. What does governance actually involve? How can information systems security governance be put in place? What are the different responsibilities involved in information security governance? Let's take a closer look.
What is "information systems security governance"?
Managing information security policies
"Governance refers to all the organisational solutions that enable information security risks to be addressed and information security to be managed", explains Stéphane Garreau, cybersecurity and information systems management consultant and ORSYS trainer. It is generally one of the components of the information system security policy (PSSI).
In practical terms, implementing information security governance within an organisation involves :
- Defining the role played by each person within the organisation, in particular that of the CISO.
- Create instances (IT security committees, for example) or participate in bodies.
- Implement a set of policies and procedures which describe how the organisation responds to cyber security risks.
Improving governance to reduce security risks
The primary objective of information security governance is to reduce risks. "This involves managing technical projects aimed at reducing security risks, implementing actions to improve processes and creating a culture of cybersecurity by raising awareness and training employees," explains Stéphane Garreau.
Poor governance is likely to generate more incidents or cyber-attacks, data theft, with financial impacts, consequences for the company's image and compliance problems. "There are close links between information security governance and overall risk management. Cyber risks have gradually taken on a very important role in risk management. In turn, risk management has provided a framework for cyber security management", adds the expert.
Addressing compliance issues
"Addressing the issue of information security governance also means addressing compliance issues," explains Stéphane Garreau. "Several regulatory frameworks include obligations in terms of cybersecurity", in particular the RGPD (which requires measures to be taken to ensure the security of personal data) and the standard PCI DSS (relating to the hosting of banking data).
How do you set up information security governance?
Extending the question of governance to the "detection/response/continuity" triptych
"Defining and implementing information security governance involves a number of phases: analysis of the existing situation, risk assessment and formulation of proposals to improve the standards in place," explains Stéphane Garreau. Governance is formalised and set out in the PSSI and detailed operational procedures.
"Cybersecurity has changed fundamentally over the last 15 to 20 years, when it was essentially a matter of protecting against cyber attacks," notes the expert. "Today, information security governance still has a strong protection dimension, but it has been extended to include incident detection, response and business continuity. Processes, resources, contingency plans remediation and communication systems are therefore developed and adjusted in line with this new triptych, as part of a continuous improvement process. Assessing the quality of governance involves measuring risk reduction (number of incidents, frequency, impact, quality of the organisation's response, etc.).
Relying on standards and benchmarks
From a methodological point of view, ISO standards are useful and widespread frameworks for implementing information security governance: ISO 27001ISO 27014 (specific to IS governance) and ISO 27002 (widely known and used for IT security risk management).
In addition to ISO standards, many companies rely on NIST tools (National Institute of Standards and Technology) : there Special Publication 800-53 and the Cybersecurity Framework.
Training in governance implementation
Although companies can improve or implement governance on their own, they run the risk of coming up against a lack of competent resources in these areas. How can effective information security management be put in place in a context where resources are in short supply? "External resources are themselves in great demand. Training your teams in risk management and compliance issues is a good response to the shortage of talent", advises Stéphane Garreau. Once trained, the teams can then support their company towards certification in information systems security.
IS governance: a shared responsibility between senior management, CISOs and users
Strategic responsibility, operational responsibility: finding the right balance
The governance of information security is increasingly at the level of general management. This level of responsibility means that priorities can be set and appropriate resources made available. "The best way to achieve this is to approach the issue of cyber security via business objectives and the impact of cyber risks on business continuity. Operational responsibility is always borne by the CISO, but under the ultimate responsibility of senior management," notes Stéphane Garreau. The CISO has a special role to play here. As the link between the operational teams and the non-technical teams, he or she takes on the role of communicator and educator, and has to transform a highly technical subject so that it is understood and assimilated by the various business lines.
And where does the CIO fit into all this? "He remains a key player in the whole process", replies Stéphane Garreau, who explains that the challenge is to "involve the business units in IT security, without distancing it too much from the technical staff".
Training and raising awareness among users to create a culture of cyber security
"Train users and make them aware of cyber risks (e-learning, training campaigns, etc.). phishingThis is also part of information security governance, and is a prerequisite for users to take on more responsibility," adds Stéphane Garreau. "Implementing information security governance also means ensuring that security is taken into account at all levels and in all the company's processes, as early as possible. This echoes the concept of security by designadds the expert.
Information systems security governance is part of a risk management and reduction approach. Designed to effectively manage security policies, it also focuses on raising awareness among employees and involving all business lines in reducing cyber risks. Information systems security governance is based on standards and benchmarks, which must be mastered if they are to be properly implemented. Given the shortage of qualified cybersecurity professionals, training is one of the best options.
