Security Think Tank: Embedding security in governance
How can security professionals help their organisations move from traditional governance, risk and compliance to integrated risk management that integrates risk activities from across an organisation to enable better strategic decision-making?
The adoption of technology has exposed the modern organisation to opportunities and risks. Many have experienced the contrast presented by technology; the opportunities on one side and the risk of the connected world on the other.
These opportunities and risks may impact organisations in diverse ways. Some may have operational impacts, while others may have strategic impacts. Good governance requires that opportunities and risks having a profound impact on organisations be monitored and the required actions be taken.
Embracing the opportunities may require setting up the enablers, including organisational structures, technology capabilities, building human capital and supporting the change. Addressing the risks requires the implementation of appropriate security controls, tools and processes that mitigate the risks.
Since the connected world enabled by technology presents organisations with risks and opportunities, appropriate security measures play a key role. Addressing risks and providing adequate protection enables organisations to leverage technology. Security, therefore, plays the role of an enabler in organisational strategy.
Governance can be explained based on the outcomes expected of it. Compliance and ethical behaviour, risk management, resource management, efficient achievement of the objectives and value creation are some of the key outcomes of good governance.
Security can contribute to some of the aspects, while it may not be able to contribute in some of the others. Prioritisation of objectives, ethics and interpretation of compliance requirements are areas related to governance where security has a limited role. Aspects relevant to governance such as risk management, resource management, as well as integration of assurance are dimensions where security can play a meaningful role.
Anticipate opportunities and threats
An important expectation from governance is the ability to gaze into the future. It is important that organisations be able to anticipate the opportunities, threats, risks and trigger actions that address them. Security plays a key role in visualising whether the strategy adequately addresses the risks. Security tools and technique are valuable not only in the present but also in the future. As an example, let us consider a pen test exercise conducted at a defined frequency by an organisation.
This exercise identifies the risks and as an outcome provides opportunities to take corrective actions. The corrective actions are very useful in managing the risks. The pen test exercise is likely to be viewed as an operational activity. While this is indeed true, there is more to it; pen tests have value even for governance.
When the exercise is repeated at intervals, a series of the results are available. The series has value that is greater than a collection of individual results. The trends and data analytics provide a measure of the maturity of an organisation with respect to security. This insight enables a measured view on the robustness and maturity of the organisation’s security. Better insights imply better predictability, lower uncertainty and a higher level of confidence in arriving at decisions.
“Since the connected world enabled by technology presents organisations with risks and opportunities, appropriate security measures play a key role”
Sandeep Godbole, ISACA
Data analytics, artificial intelligence and machine learning provide access to a wider set of data sources, while computing power enabled by cloud technology has contributed to the advancement of security tools and platforms. The ability to gather information from diverse sources, internal as well as external, has contributed to integration as well as better decision-making. While too much data can overwhelm decision-making, we are witnessing technologies that are also able to navigate this complexity and help decision-makers.
Technology to the rescue
Let us consider a routine vulnerability assessment process. The output of the process may identify an extensive list of vulnerabilities. While prioritising vulnerabilities from the list may be daunting, modern technology can come to the rescue.
Using data analytics and algorithms, artificial intelligence (AI) and machine learning, actions that require greater and immediate attention can be prioritised. The ability to consult a wide range of data sources can provide better decisions. Better decisions related to risk management ultimately provide for better governance. The security tools that deploy approaches such as machine learning and big data analytics thus provide for much better solutions.
The availability of platforms that provide visibility across multiple areas and the IT estate within an organisation helps to set up an efficient and integrated monitoring and security alerting environment. Security information and event management (SIEM) platforms have provided a unifying technology solution for security monitoring for more than a decade. Platforms like these have evolved over the years, making them comprehensive and efficient. Many SIEM tools now support user behaviour analytics that identify disruptive behaviour or actions in a timely manner.
The solution greatly helps in presenting a unified view of security across different assets and different security controls. This helps to reduce the response time to many of the risks and threats identified by the platforms. Automation, integration and analytics provides real-time, actionable inputs. While this does not replace the traditional audits, it does strengthen governance by timely identification of risks.
Security tools can support and strengthen governance. A mature view of the strengths and limitations of the security tools and techniques is essential. It is important that security professionals, as well as senior management, appreciate the role that security processes and tools can play in the risk management process. The ability to provide security inputs in real time, and processes that can act on the inputs, can add excellent value to the governance process.
Integration of the security information provides for a comprehensive view on the internal and external environments. Efficiency, faster response time and an integrated view to security risks are the primary benefits of security tools and processes. Integrating them as part of governance programmes can greatly contribute to better governance.
Read more about integrated security and risk management
Eoin Keary looks at focusing on metrics to manage risk.
