Security Think Tank: Security governance key to outcomes-based approach

Security is not only about people, process and technology – governance, risk and compliance are all levers on security. The greater the importance of security governance in the organisation, the more there will be a focus on outcomes.

Having a tick-box approach to security is not necessarily a bad thing; it at least demonstrates a structure to organisational security. However, a tick-box approach is certainly a significant contributor to the situation many organisations find themselves in today: myriad security products purchased to address specific identified issues.

Some of these products have not even been deployed, instead becoming shelf-ware, maybe because there are insufficient staff with the necessary skills and expertise to implement and support, or perhaps because the purchase box was ticked with no follow-up on deployment.

Everyone now knows security is important. But the view still persists among non-security professionals that it is all about the technology; individuals (as workers and consumers) don’t always practise secure behaviour.

This is often a function of security being approached as a tick-box exercise – have we delivered General Data Protection Regulation training? Are we changing our Wi-Fi password every month? Are we displaying a new security tip on our intranet every few days?

However, as security has risen to a board-level issue, executives are more savvy about security and want evidenced business outcomes from the ever-increasing investments being made. Are our defences doing a good job of protecting the organisation? Ovum’s security spend statistics show that security spend accounts for more than 8.5% of overall average ICT spend.

Linking spend to business outcomes and moving from a tick-box approach requires an organisation-wide security governance program. This program directs the organisation’s approach to security, with the objective of coordinating the security activities of the enterprise to achieve business outcomes. The approach to security governance should be developed directly from the organisation’s overall governance program.

The first step in building a security governance program is to assess the organisation’s risk appetite and security posture. This will lead into the creation of the organisation’s security policy, which in turn will directly influence security operations. This is not only about the technology used to prevent, detect, and respond to security incidents and breaches, but also includes the security controls deployed around people and process.

Security governance is used by the organisation’s leadership to set out the kind of security risks they are prepared for staff to take. Some security governance programs are strict and rigid – often because the organisation operates in a highly regulated environment. Other programs are looser, giving individuals some latitude in the security decisions they take.

Assessing the success or otherwise of an outcomes-based approach to security – beyond the obvious “has there been a compromise of the organisation’s information or systems?” – requires a security assurance program.

The objective of a security assurance program is to ensure that the organisation’s security controls are effective and in line with risk appetite and security posture. Security controls are a combination of people, process, and technology, overseen by a combination of security governance, risk, and compliance.

The security assurance program frequently tests the organisation’s ability to prevent, detect, and respond to security incidents and breaches. Recommendations for the components of such a program vary, but should include identity management, access management, security incident management, vulnerability management, IT risk management, data management, and new project management.

This program will be closely aligned with the organisation’s approach to security governance, ensuring that the security decisions that individuals and groups are taking fit with the enterprise’s security posture.

Security governance and assurance are not an overnight fix to move from a tick-box approach to outcome-based security. However, they should be an objective in the organisation’s short- to medium-term plan.