When NIST released version 2.0 of its Cybersecurity Framework earlier this year, the shift in creating a separate “Govern” function symbolizes the need for us to prioritize what has been a gap for most security programs for a decade.
While the original version published in 2014 had elements of governance across multiple categories and subcategories, it did not focus on these key governance pieces. Why?
Well not having been a contributor to the framework, I can only provide my opinion as to why governance is often overlooked.
The Need for Governance in Cybersecurity
The goal of any security framework or regulation is to protect the confidentiality, integrity, and availability (the CIA Triad) of our data and systems. As security professionals and practitioners, we often look to technology as our first method to implement protections against the nefarious bad actors that lurk in every corner of the World Wide Web. Technology is shiny, fast, and often cheap (relatively speaking). The reason the moniker “People, Process, and Technology” is in that order is because it takes people to build the processes that can be complemented and automated by technology.
The cybersecurity skills gap is part of why the governance aspect of security programs can seem so insurmountable. Cybersecurity is a complex, team sport where the adversaries don’t play by the rules, rather it is their objective to break them. It takes a team comprised of tactical, strategic, and technical backgrounds to protect the CIA of an ecosystem – but there is not a “cyber draft” where we can choose the missing pieces, so technology has often (unsuccessfully) filled that gap.
Because governance has historically not been an area where technology could easily fill the gap in Team Security, and the limited talent pool, governance roles often go unfilled, leaving these programs and controls on the inevitable “to-do” list. I observed this during dozens of gap assessments and audits – the investment in technology was an “easier” answer because something had to be done. Unfortunately, that often leads to technical debt and failed governance issues, manifesting in any number of ways: audit failures, certification failures, and even breaches.
Another contributing factor in driving the need for governance to have its own function is regulation. Over the past decade, global regulations impacting both security and privacy have elevated the importance of governance as the methodology to demonstrate required security protections, and the NIST CSF standard is evolving to remain relevant with these changes.
The silver lining is that a well-executed governance program can help your organization’s security program be more efficient, avoid fines, and reduce cyber insurance premiums – all aspects that can be challenging to quantify.
Governance Is a Tool For Communicating With Leadership
When presenting to the Board of Directors, cybersecurity is often portrayed as a score or another metric that does not actually correlate to how secure an organization may be from threat actors. Communicating the value of governance is often best told from the reality of the day-to-day of the security team’s battles – use these stories and apply how having governance controls in place helped avoid costs (and potential impacts on shareholder value) of a reportable incident.
While your organization’s security program will likely never be considered a profit instead of a cost center, there are ways to show cost avoidance and business value.
For anyone who has had to declare an incident, that panic and sick-to-your-stomach feeling can be minimized if your security program has a strong governance foundation that is easy to execute. If you have practiced how to RESPOND in these critical moments through various tabletop or purple team exercises to have confidence that your Business Continuity & Disaster Recovery (BCDR) and Incident Response (IR) processes will work, that is governance.
While there will always be scenarios that we can’t completely plan for, controls such as Category Policy (GV.PO): “Organizational cybersecurity policy is established, communicated, and enforced” were meant to help organizations ensure they have the processes (that include people and technology) to accomplish their mission to secure the CIA.
The Difficulties of Implementing a Governance Program
Establishing a governance program is tedious and requires the inputs and approvals of multiple internal and external stakeholders and is constantly changing. Change management is such a large part of a governance program’s success or failure, and it is often “owned” by a separate team within the organization. So NIST 2.0 is no longer a “security or risk” framework, it is a Company success framework.
But how do you get the business to understand “what’s in it for them?” For publicly traded companies, the new SEC Requirements should be one way to help convince those naysayers of the need for a well-documented , and agreed upon security program. In the short term, these filings have been shown to impact shareholder value – which impacts everyone within the organization. The reputational risk and harm from an attack for even non-publicly traded companies should be top of mind and a key motivation to adopt a framework like NIST CSF 2.0 as the path to holistic data protection.
Where Do We Start?
NIST has rolled out this new update with lots of great tools and resources to make your organization successful in the NIST Resource Center. One of my favorite additions is the Organizational Profile Template, which is essentially a high-level Business Impact Analysis (BIA); this will become the foundation for your security governance program. Once completed, this profile can then be compared to your industry verticals’ “target profile” which is essentially your “gap analysis” to determine your roadmap for improvement.
Security program governance is complicated, but don’t let that stop you! The benefits of a well-planned governance program have many quantifiable aspects, but also those “unquantifiable” benefits that go beyond traditional ROI to inform your organization of the true “cost of security”. Think of how much better you will sleep at night knowing that your security team is supported by practiced processes that will help everyone perform optimally when that bad day happens, and all of the good ones in between.
As the Sr. Solutions Director, Customer Renewals & Growth at Deepwatch, Alisa works alongside our existing customers to devise solutions to reduce risk and cyber exposure by evaluating how to more effectively utilize Deepwatch’s service offerings. Alisa is a seasoned security, governance, risk, and compliance advisor with a proven track record as an innovative leader who enjoys working with customers to optimize their business goals.
Share