Cyber risk management is now taken to the highest level of the company, in the form of information systems security governance. Its role: to manage and organize information security, while involving the professions. Stéphane Garreau, expert in cybersecurity and information systems management, details this concept of information security governance.
Cyber risk is currently considered one of the main risks threatening companies, which are therefore implementing specific measures intended to more effectively manage their information security policies. These measures are formalized within specific governance. Led from an operational point of view by the CISO, responsible for information security within the company, governance must nevertheless involve all of the company's professions. What does it actually consist of? How to implement information systems security governance? What are the different responsibilities in information security governance? Let's see this in detail.
What does “information systems security governance” consist of?
Manage information security policies
“Governance refers to all organizational solutions that make it possible to address information security risks and manage information security,” explains Stéphane Garreau, consultant in cybersecurity & information systems management and trainer. ORSYS. It generally constitutes one of the sections of the information system security policy (PSSI).
Concretely, the implementation of information security governance within an organization consists of:
- Define the role played by each within the organization, in particular that of the CISO.
- Create instances (IT security committees, for example) or participate in bodies.
- Establish a set of policies and procedures which describe how the organization responds to cybersecurity risks.
Improve governance to reduce security risks
The primary objective of information security governance is to reduce risks. “This involves managing technical projects aimed at reducing security risks, implementing process improvement actions and creating a cybersecurity culture through employee awareness and training actions” , details Stéphane Garreau.
Poor governance is likely to generate more incidents or cyberattacks, data theft, with financial impacts, consequences on the company's image or even compliance problems. “There are strong links between information security governance and overall risk management. Cyber risks have gradually taken a very important place in risk management. For its part, this provided a framework for managing cybersecurity,” adds the expert.
Address compliance questions
“Addressing the issue of information security governance also allows compliance issues to be addressed,” explains Stéphane Garreau. “Several regulatory frameworks include cybersecurity obligations,” including GDPR (which requires measures to be taken to ensure the security of personal data) and PCI DSS (relating to the hosting of banking data).
How to implement information security governance?
Broaden the question of governance to the “detection/response/continuity” triptych
“Defining and implementing information security governance is carried out through different phases: analysis of the existing situation, risk assessment and formulation of proposals intended to improve the standards in place,” explains Stéphane Garreau. Governance is formalized and is expressed within the PSSI and detailed operational procedures.
“Cybersecurity has fundamentally evolved over the past 15 to 20 years, when it essentially consisted of protecting against cyberattacks,” notes the expert. “Today, information security governance still has a strong protection dimension, but it has expanded to include incident detection, response and business continuity. Processes, resources, remediation and communication plans are therefore developed and adjusted with regard to this new triptych, in a process of continuous improvement. Evaluating the quality of governance involves measuring risk reduction (number of incidents, frequency, impacts, quality of response from the organization, etc.).
Rely on standards and benchmarks
From a methodological point of view, ISO standards constitute useful and widely used frameworks for the implementation of information security governance: ISO 27001, ISO 27014 (specific to IS governance) or even ISO 27002 (well known and used in the context of IT security risk management).
Beyond ISO standards, many companies rely on NIST tools (National Institute of Standards and Technology) : there Special Publication 800-53 and the Cybersecurity Framework.
Train yourself to implement governance
Although companies can absolutely improve or implement governance on their own, they risk running into a lack of competent resources on these subjects. How to implement effective information security management in a context where resources are lacking? “External resources are themselves in high demand. Training your teams in risk management and compliance issues represents a good response to the talent shortage,” advises Stéphane Garreau. Once trained, the teams can then support their company towards information systems security certification.
IS governance: a shared responsibility between general management, CISO and users
Strategic responsibility, operational responsibility: a balance to find
Information security governance is increasingly being brought to the senior management level. This portage makes it possible to obtain prioritization and adequate resources. “The best way to achieve this is to approach the issue of cybersecurity through business objectives and the impact of cyber risks on business continuity. Operational responsibility is always carried by the CISO, but under the ultimate responsibility of his general management,” notes Stéphane Garreau. The CISO plays a special role here. A link between operational teams and non-technical teams, he takes on the role of communicator and teacher, and must transform a very technical subject so that it is understood and assimilated by the different professions.
What about the CIO in all this? “He remains a fundamental interlocutor in this entire process,” replies Stéphane Garreau, who explains that the whole challenge consists of “involving the professions in IT security, without distancing it too much from the technicians”.
Train and educate users to create a culture of cybersecurity
“Training users, making them aware of cyber risks (e-learning, phishing training campaigns, for example) and reminding them of good practices is also part of information security governance and conditions the increase in responsibility users,” adds Stéphane Garreau. “Establishing information security governance also means ensuring that security is taken into account at all levels and in all company processes, as early as possible. This echoes the concept of security by design », adds the expert.
The governance of information systems security is part of a risk management and reduction approach. Intended to effectively manage security policies, it also focuses on raising employee awareness and involving all professions to reduce cyber risks. The establishment of information systems security governance is based on standards and benchmarks whose mastery is necessary to properly implement them. Faced with the shortage of qualified cybersecurity professionals, training represents one of the best options.