Typically, when speaking to business leaders about their cybersecurity status, many times they say, “My IT people are handling that!” To which our response is, “how do you know”?
How do you know that everyone involved understands your security expectation and their role in your security program? We refer to this aspect of cybersecurity as organizational alignment.
Alignment means that everyone understands the security needs of the organization and in what ways they, individually, are responsible for helping to meet those needs.
Alignment starts with senior leadership defining security goals for the organization and communicating those goals to everyone with a role in security, including workforce, vendors, and customers.
You need your organization to be in alignment across three principles of security:
• Risk Management
Part 1: Governance
Governance is the process by which senior leadership sets goals for security activities through policy statements and monitors performance to ensure that security activities are effectively achieving those goals.
Effective governance requires that there be someone in the organization who is officially responsible for the security of the organization, that the person responsible for security has a voice within senior leadership, and that senior leadership has visibility into the performance and results of security activities.
For instance, many organizations designate a Chief Information Security Officer (CISO), who is responsible for the security of the organization, is a member of the senior leadership group, and who periodically reports to senior leadership on the status and results of the organization’s security program.
Part 2: Risk Management
Risk is a measure of the potential negative impact of an event or events to the organization. For example, if a system is impacted by a ransomware attack, what business functions are impacted? Is sensitive information of others, be they individuals or other organizations, at risk of being breached? Is there a negative impact to the organization’s reputation?
To help identify and manage technology risk, senior leadership needs to understand:
• What are the organization’s technology assets (systems and information) and why is each important to the organization?
• What are the relevant risks or threats to each asset?
• What are the potential negative impacts from the loss or compromise of each asset?
• What is currently being done to protect each asset from relevant threats?
• Are there external requirements to protect certain assets?
The answers to these questions will vary from one organization to the next. Senior leaders should use this information to design and prioritize security policies and activities to manage their technology risk more effectively.
Part 3: Compliance
Compliance is about verifying that security activities are being performed consistently within expectations. Compliance means not only adhering to internal policies, but also satisfying any relevant external requirements; as there may be specific industry standards (e.g., Payment Card Industry) or regulatory obligations (e.g., HIPAA), depending on the organization.
Monitoring processes and controls provide the visibility to senior leaders that security activities comply with organizational and external expectations and are effective in protecting the organization.
So, the next time someone asks, “How do you know?” your organization is secure, remember: Cybersecurity starts at the top and you can use alignment, governance, risk management and compliance to be sure.
Editor’s note: Sara Christie is a security customer relationship manager with Mainstream Technologies. The opinions expressed are those of the author.