Physical Address

304 North Cardinal St.
Dorchester Center, MA 02124

Cyber Governance: Why Now?

The Cyber Governance Network was born out of an observation that in today’s ever changing risk landscape, our adversaries are continually upgrading their tools, tactics, and procedures to create opportunities to compromise businesses globally. In response, the cyber security industry has countered with tools, tactics, and procedures of our own however in many cases those solutions have been tactical and limited in scope.

I don’t necessarily blame industry for this condition; as cyber security leaders we are continually looking for ways to improve our ability to protect our organizations, and it is easy to align specific budget requirements against specific risks. How do we know that we are managing all of our risks, or at least the risks that have the highest likelihood of occurring? Cyber Governance has not played second-fiddle however many leaders believe that they will figure it out along the way, or that they have leveraged a formula in the past to illustrate oversight to their leadership, regulators, and/or clients.

For the most part, that formula has worked. The formula for the post part has failed. Why has it failed? That might be a topic for another day. Cyber security professionals in the past were able to illustrate that reports were sent to the board, and that a meeting occurred, risks were logged in a risk register, and that an oversight activity was implemented, but were Cyber Governance outcomes achieved?

What then, is governance?

So if we’re able to illustrate governance by pointing to reports, metrics, risk assessments, audits, risk registers, committees, and events then what is the problem? I think that the problem is that nobody can clearly define Cyber Governance, so I went out to the internet to see what the experts say:

the act or process of governing or overseeing the control and direction of something (such as a country or an organization) Source: Merriam-Webster.

Generally, I’m not a fan of using the word, or a derivation of that word to define it. That being said, we can observe “overseeing the control and direction of something” which for me is very vague. How about:

Cybersecurity governance is a comprehensive cybersecurity strategy that integrates with organizational operations and prevents the interruption of activities due to cyber threats or attacks. Features of cybersecurity governance include: Accountability frameworks; Decision-making hierarchies; Defined risks related to business objectives; Mitigation plans and strategies; and, Oversight processes and procedures. Source: CISA.gov

In my opinion, this is getting closer to defining what Cyber Governance should be. There are good concepts here like “decision-making” and “accountability” however strategy and frameworks are nouns, and for my money, I prefer to define Cyber Governance with actions (verbs) and outcomes. Let’s try one more time:

Security governance is a process for overseeing the cybersecurity teams who are responsible for mitigating business risks. Security governance leaders make the decisions that allow risks to be prioritized so that security efforts are focused on business priorities rather than their own. They also govern the interplay of mitigating identified business risks, addressing internal and external threats, and dealing with compliance. Source: Gartner

While this is not an endorsement, I do love me some Gartner. I don’t think that we’ve quite hit the nail on it’s head with this explanation as we’ve used the words “oversee” and “compliance”. That being said, I’m definitely a fan of “find what’s best and ditch the rest” and that’s what I think we have to do with these (and other) examples.

Cyber Governance Defined

I am sure that as I continue this journey with you that this definition will change, however in my mind, here is how I choose to define Cyber Governance:

Cyber Governance is a group of technologies, activities, and choices that achieve the following outcomes:
– Provide real-time telemetry regarding cyber security control coverage/effectiveness and the usage of organizational assets (data/applications/resources).
– Align security controls and asset usage to specific business risks and enable the organization to identify existing/evolving risk exposure and wargame what-if scenarios.
– Make informed decisions both at the tactical day-to-day operational level, during emergent scenarios, and at enterprise strategic planning events.
Source: Cybergovernance.net

Epilogue

Cyber Governance is not just a discipline, or a skill…it is a journey, and today we formally began exploring this topic. I invite you on this journey and want to expand the conversation to our community. What did you learn? What do you think? Share, Comment, Like Below!

Jason Bowen

I am a senior cyber security executive who collaborates with technology and business stakeholders to manage security challenges, realize business value, and achieve secure outcomes. I see security risk and business challenges differently and invite others to approach the subject of cyber security governance from another perspective.

Published:

Updated:

,

One comment

  1. Congrats Jason on the launch of your Blog!! Good to start with a definition of Cyber Governance, something I am working to address at my new organization. Good luck and best wishes on your continued success.

Comments are closed.