Cyber Security Governance

Introduction

The New Zealand Government recently published the series “Charting Your Course: Cyber Security Governance”. We have reviewed the publications and comment on each of the six recommended steps below.

While an organisation can never be 100% secure from cyber-attacks and incidents, the creation of a cyber-resilient organisation is a practical and achievable goal. Cyber resilience is a concept that incorporates not only the identification, detection and prevention of cyber incidents but includes and emphasises the importance of response and recovery.

Cybersecurity governance is a key mechanism through which an organisation can achieve cyber resiliency.

What is Cybersecurity Governance?

Governance is essentially a group of activities that support effective cybersecurity decision-making processes. Good cybersecurity governance aims to maximise the benefits of operating in today’s digital economy.

A cybersecurity governance programme should deliver:

  • A clear cybersecurity vision to guide all decision making across the business
  • Well defined cybersecurity roles and responsibilities for the business
  • The incorporation of cybersecurity into a holistic risk management process so that the business better understands cybersecurity threats
  • Cybersecurity resource allocation and oversight
  • A system for measuring and reporting compliance and continuous improvement

The governance function sits with the highest levels of an organisation such as the board, senior executives, or owners. They are accountable for improving cybersecurity governance within the business and ensuring the right investment is made.

The National Cyber Security Centre (NCSC) has recently published information guides that outline six key steps that businesses can focus on to improve their cybersecurity governance. The steps include:

  1. Building a Cybersecurity Culture:
    The creation of a board-driven culture of awareness and accountability and the development of a cybersecurity strategy that promotes positive change by linking a business’s key vision with cybersecurity goals.

  2. Establishing Roles and Responsibilities:
    Defining the roles required to achieve cyber resiliency and at what level in the organisation they reside in. Additionally, ensuring these duties are realistic and expectations are well communicated.

  3. Holistic Risk Management:
    Utilising a framework to effectively identify, analyse and manage cybersecurity risks in a holistic manner, aligned with any existing risk management methodologies. 

  4. Organisational Collaboration:
    Establishing buy-in and support from the wider organisation.

  5. Creating a Cybersecurity Programme
    Establishing a measurable cybersecurity programme that drives initiatives.

  6. Measuring Cybersecurity Resilience
    Measuring and reporting on current maturity and improvements made in cyber resiliency to ensure current strategies are effective.

Step 1 – Building a Cybersecurity Culture

What does a culture of Cyber Resilience look and feel like?

In a strongly cyber resilient culture, every individual in the business:

  • Feels supported for making decisions that protect the confidentiality, integrity and availability of information systems
  • Is aware of the importance of cyber resiliency to support the business mission
  • Feels accountable and responsible for ensuring that cyber resiliency is embedded in daily activities.

Creating and embedding a cybersecurity culture starts from the top down, which is why it needs to be a primary focus in any governance programme. Where a senior team recognises that technology is critical to its strategy or mission, then cybersecurity should be a recurring item on the board’s agenda. The team firstly requires a good awareness of cybersecurity. Rather than portraying cybersecurity as overly technical; business language should be used. Reporting information such as emerging risks, near misses and actual cyber incidents in familiar language will lead to stronger situational awareness and support timely and effective decision-making.

Creating a Cyber Security Strategy

Strategy should embed cybersecurity into the broader business objectives and ensure resources (people, processes and technology) are aligned. “A strategy should allow for and recognize key business objectives and provide guidance on how they can be achieved securely.” – Charting Your Course, NCSC.

Every business has a unique operating environment that influences their approach to cybersecurity. The strategy must take these features into account, for example:

  • Does your organisation have high regulatory or compliance objectives?
  • Does your organisation rely on third parties or business partners?
  • Is the potential for internal threats significant for your business?

Creating Policies and Standards

Policies and standards provide further guidance on cyber resiliency, addressing a variety of areas such as privacy, acceptable use, data governance, remote working, and BYOD.

Policies should lead the way rather than dictate a path as they are only as effective as the teams’ willingness to embrace them.

To create effective policies, take into consideration the following: 

  • Use a tone that represents the culture that is unique to your business; for example, your business culture may pride itself on being Professional, Fun, Creative, or “Down to Earth” in nature
  • Ensure they are not long or overly complicated
  • Consider defining technical policies further using standards
  • Ensure policies are reviewed annually for currency and business suitability.

Industry frameworks such as the Centre for Internet Security (CIS) Critical Security Controls, ISO27001, and the New Zealand Information Security Manual (NZISM) can help guide the creation of policies and standards.

Step 2 – Establishing Roles and Responsibilities

The second step to achieving effective cyber governance and building a cyber-resilient business is the definition of cybersecurity roles and responsibilities. A company must first clearly define these roles and secondly determine who is best suited to perform them. Many organisations in New Zealand operate with small teams where individuals are required to “wear many hats”, and consequently the cybersecurity responsibilities often fall either on a single individual or even slip between the gaps. Key roles and responsibilities that assist in embedding cyber governance within an organisation are outlined below.

Board of Directors

The board of directors has ultimate accountability for corporate governance. They must provide the strategic cybersecurity direction and communicate the cybersecurity principles. In addition to setting the direction, the board should:

  • Assist with prioritisation
  • Highlight key risks
  • Identify critical business assets
  • Assess the effectiveness of the cybersecurity strategy by:
    • Reviewing audits and cybersecurity tests
    • Reviewing metrics
    • Reviewing cybersecurity incidents and near misses

These accountabilities cannot be delegated and must be performed by members of the board.

Executive Management Team

Executive management is responsible for:

  • Realising the implementation of the cybersecurity strategy
  • Supplying resources to deliver the strategy
  • Approving policies and standards
  • Measuring the effectiveness of the cybersecurity programme

Many New Zealand businesses will not have this formal layer of management in place; however, these responsibilities must still be assigned, and a clear mandate given to undertake them. Where possible the accountabilities of the board member roles should remain separate from the duties of this layer.

Chief Information Security Officer (CISO)

The CISO is responsible for cybersecurity requirements at the executive level; however, they are also accountable for representing cybersecurity in the organisation. The role of the CISO, which was once very technical in nature, has changed significantly in recent years to become one focused on business risk management. According to Gartner, top-performing CISO’s demonstrate behaviours such as high levels of proactiveness, successful stress management and significant cross-functional relationship building.  A CISO cannot “own” every aspect of security in an organisation and must work closely with all cross-functional management teams to be successful.

A CISO should drive continuous improvement in cybersecurity by:

  • Developing cybersecurity policies and standards
  • Developing cybersecurity strategy, architecture and a risk management process
  • Managing the cybersecurity budget
  • Implementing cybersecurity awareness and training programmes
  • Proactively maintaining the confidentiality, integrity and availability of all information assets
  • Supplying guidance on best practice, including infrastructure configuration and application development
  • Assessing the cybersecurity implications to the business of the adoption of new technologies or services
  • Providing guidance on the potential consequences and impacts of cybersecurity threats
  • Acting as the point of contact for cybersecurity

Once again, many New Zealand business may not have a dedicated CISO role. The role title itself is not as important as delegating the responsibilities and ensuring there is a direct link between the individual performing these and the executive leadership.

Information Security Manager (ISM)

This role focuses on operational management and delivery of cybersecurity within the business. The responsibilities of the ISM are ideally separated from the role of the CISO. This allows the CISO to focus on governance and the ISM on delivery.

Typical responsibilities for an ISM include:

  • Managing the response to cybersecurity incidents
  • Developing and maintaining cybersecurity procedures
  • Guiding the business on cyber security risks introduced from change
  • Managing cybersecurity platform lifecycles, including design, deployment, ongoing operation, and decommissioning
  • Managing the availability, capacity and performance of cybersecurity hardware and applications

Defining cybersecurity roles via RASCI

A RASCI model helps to define who should do what when it comes to cybersecurity in your business. It highlights those Responsible ( the role assigned to undertake a task),  Accountable (the role that ultimately approves activity), Supporting (the roles that provide support), Consulted (the roles that must be formally consulted) and Informed (the roles that must be kept informed).

For example:

ActivityResponsibleAccountableSupportingConsultedInformed
Builds board and executive-level awareness of cybersecurity risks and threats to the organisationCISOExecutive managementISMOther business unitsBoard of directors
Manages cybersecurity risk escalations and their approvals.ISMCISO  Executive management

A further example of a cybersecurity role and responsibility RASCI model can be found here.

When completing a RASCI model, some vital things to look out for include:

  • Do you have more than one role Accountable? – This may lead to confusion on decision rights.
  • Do you have no Accountable role assigned? – Every task must have a “buck stops here” individual.
  • Do you have too many roles or alternately no roles Responsible? – This can lead to no one getting it done or “too many cooks in the kitchen” for effectiveness.

Ultimately by clearly defining the cybersecurity roles and responsibilities in an organisation and communicating these widely, cyber governance is embedded structurally and you a one step closer to building a cyber-resilient business.

Step 3 – Holistic Risk Management

What is Holistic Risk Management?

The term “holistic” is often referred to when talking about risk management. It is used to highlight the importance of both understanding the interrelationships between individual risks and using a coordinated approach involving all functions of a business to manage risk. Cybersecurity supports the resilience of many interrelated business processes. Cyber risks, therefore, should be considered at a holistic level where the business process interdependencies are visible. Employing holistic risk management is essentially an exercise in “big picture” thinking.

Risk Management

Effectively identifying, evaluating and managing cybersecurity risks requires establishing a formal risk management framework. Formal frameworks lift awareness of risk within the business and support the achievement of strategic goals. Any cybersecurity risk management framework adopted, however, should be firmly aligned with current risk management processes. For example, if the business already uses a risk framework for Health and Safety, aligning the cyber risk framework to this will deliver a method of framing risk that is already familiar to the business.

McKinsey’s Global Board Survey suggests that risk management is still a low-priority topic at board meetings and found that only 36% of boards address cybersecurity risk. The risks around cyberattack and data breach, however, are growing as more businesses undertake digital transformation and organisations need to plan how they will manage these growing risks.  Firstly, a risk management framework should clearly articulate the organisation’s risk appetite and tolerance. The board should set this direction as it provides key guidance around how risk will be managed within the business. Once the risk appetite is defined, the risks can then be managed within acceptable tolerance levels.

Managing Cyber Security Risk

Managing cybersecurity risk requires preparation and planning. A business must understand what their critical business assets are and once these assets are identified, assess the impact on the business should the Confidentiality, Integrity or Availability of any of these assets be compromised.

Using established standards for risk management such as NIST SP 800-30r1 or ISO 31000:2018 will allow risk management processes to produce repeatable and consistent outcomes. These standards also provide a sound structure for evaluating threats, vulnerabilities, and potential impacts within a business’s unique operating context. Standards can also guide a business on how best to respond to risk.

Risk Assessment

Performing risk assessment involves several steps, including identifying scope, critical assets, threats, and vulnerabilities. A cybersecurity risk exists where a business asset has a vulnerability, and a threat exists that may exploit this. Where a threat exists with no vulnerability or a vulnerability exists with no current threat to exploit this, the risk is lower.

The scope of any business risk assessment should be determined to avoid the exercise becoming unwieldy. This involves identifying which assets, people, processes, and technology are to be included in an assessment. Both tangible assets, such as an e-commerce platform and intangible assets such as business reputation should be considered for inclusion. Setting a clear scope will ensure the risk assessment exercise is achievable and delivers a timely outcome.

Identifying the business’s key assets and maintaining not only a list of physical assets, but also a database of IT systems that process, store and transport critical data, can help identify possible points of compromise. Awareness of where critical data is located can enable a much clearer view of systems that may be vulnerable and require enhanced protection. 

A risk assessment also requires an awareness of current and emerging threats that may impact the business. Staying abreast of these can be achieved by subscribing to threat alerts such as those published by CERT, NCSC and our Incident Response Solutions YouTube channel or by consulting experts in the industry. Your specific assets and environment will determine which threats and vulnerabilities are most relevant to your business. Threat reports that concentrate on your particular industry may provide insights into which threats are most likely to impact your business.

Developing a risk taxonomy is one method of ensuring that threats and risks are consistently described and classified in your business. A taxonomy clearly and comprehensively describes threats and risks and should reflect the risk appetite defined by the board. A taxonomy of threats would include internal and external threat actors, environmental, structural, adversarial and accidental threats.

Risk Evaluation Methods

Evaluating risk typically involves qualitative and or quantitative analysis. Most methods determine the level of likelihood that a risk will occur, and the level of potential business impact should the risk occur. Business impact is often expressed either in operational, financial, reputational, or legal terms.

Quantitative methods require data to calculate the annualised loss expectancy (ALE) or Value at Risk (VAR). These methods are often favoured as they provide concrete figures; however, it can be challenging if the data required to calculate them is not available. Qualitative methods, in contrast, are more subjective, but if defined measures of likelihood and impact are used in the assessment, they will still provide meaningful insights.

Risk Ownership

Identified risks require clear ownership. The risk owner is responsible for the ongoing management and reporting of the risk and should ideally:

  • Belong to the area of the business most relevant to the risk
  • Have the knowledge to evaluate the potential impact
  • Have the ability and resources to respond to the risk appropriately

Risk evaluation and response should be undertaken by following standard processes which ensure that any identified risk that sits outside of the defined risk tolerance levels is managed consistently.

Risk Response and Reporting

All risks should be recorded in a risk register and managed according to the business risk appetite; however, most responses involve one or a combination of the following:

  • Risk Acceptance: the risk owner may accept the risk as within the business tolerance levels
  • Risk Avoidance: activities that give rise to the risk may be avoided altogether by the business
  • Risk Reduction: controls may be applied to reduce the risk to an  acceptable level
  • Risk Transfer: the risk is transferred to a third party (often through Insurance) to mitigate the impact of it occurring.

Risk metrics and dashboards can raise awareness and effectively communicate risk levels throughout the business. Clear measurement of risk will support effective decision-making and drive prioritisation of resources in any cybersecurity programme.

Holistic risk management should be embedded within a business and is a core facet of developing good cyber governance. Effective risk management ultimately contributes to building a strongly cyber-resilient organisation.

Step 4 – Organisational Collaboration

The fourth step to improving cybersecurity governance within an organisation involves strong collaboration. Described by the NCSC as imperative for translating a cybersecurity strategy and vision into action, collaboration can start by forming a cross-functional cybersecurity steering committee and working group.

Cyber Security Steering Committee

The main aim of a cybersecurity steering committee is to agree on and align the cybersecurity risks, priorities, initiatives and resources with the business objectives.  It should therefore consist of representatives from all areas of the business who can make decisions on resources to prioritise and direct cybersecurity activity.

A periodic meeting should be scheduled for the committee to discuss any cybersecurity issues that may impact the business. Regular meetings will assist with aligning the cybersecurity strategy and the overall business objectives and may also allow cybersecurity knowledge and awareness to grow within the organisation. The greater cybersecurity awareness that critical decision-makers have, the more likely it is they will support initiatives to address cybersecurity risk.

In smaller businesses, it may be prudent to allocate the steering committee roles to an existing cross-functional group who already meet regularly. The cybersecurity agenda would be held as a separate discussion, however, as it requires its own meeting time and attention. Cybersecurity steering committee responsibilities include:

  • Regularly reviewing the cybersecurity strategy to ensure it aligns to business objectives
  • Gaining or providing wider business support for the cybersecurity strategy
  • Identifying and discussing new and emerging cybersecurity risks
  • Identifying and discussing new and emerging cybersecurity practices or compliance issues
  • Ensuring the cybersecurity initiatives support the key business operations
  • Providing feedback on the effectiveness of the cybersecurity initiatives
  • Highlighting organisational changes and gaps where cybersecurity focus may be needed
  • Ensuring adequate resourcing and funding is provided to the cybersecurity programme to manage cybersecurity risk
  • Leading by example and demonstrating the desired cybersecurity culture

A standard meeting agenda can be created from the points outlined above to ensure all issues are adequately raised and discussed regularly, and the key aims of the committee are met. Ultimately a steering committee adds value by clearing obstacles from the pathway to success for the cybersecurity working group.

Cyber Security Working Group

The cybersecurity working group is a hands-on team at an operational level. The working group would meet more frequently than the steering committee and rather than focusing on prioritising strategies their role is to oversee the implementation of cybersecurity activities. This group should have representation from line management, operational and delivery teams. Cybersecurity working group responsibilities include:

  • Delivering the cybersecurity outcomes agreed as priorities by the steering committee
  • Being familiar with activities underway to create, improve or maintain cybersecurity controls
  • Reviewing cybersecurity risks raised by the business
  • Reviewing cybersecurity  incident reports and near-misses
  • Reviewing cybersecurity testing including business continuity testing, disaster recovery testing, penetration testing and incident response testing.

Step 5 – Creating a Cybersecurity Programme

As described by the NCSC, the goal of a cyber security programme is to ensure that any investment in cyber security provides the best possible improvement in cyber resilience, as defined by the strategy.

On 18 December 2020, the New Zealand Institute of Directors (IoD) published “The top five issues for directors in 2021”. In its report, the IoD emphasise that while digital infrastructures allowed many organisations to keep operating under challenging conditions this year, they also posed more cyber risk than ever. With an increased reliance on cloud based technologies and working from home, the risk of data privacy breaches, fraud and cyber-attacks has increased. The IoD proposes Boards need to adopt a cyber resilience approach, which means being prepared for a cyber-attack, being able to keep a business operating, and able to quickly respond to and recover from an attack. In particular, they suggest Boards need to:

  • manage the risks strategically
  • use a recognised cyber security framework
  • ensure a strong cyber security culture
  • consider how their organisations might work together with their partners and supply chains.

Accordingly, anticipate an increased focus on cyber security in 2021. While the updated Privacy Act has received widespread coverage, other New Zealand regulatory examples include:

  • the Reserve Bank’s draft guidance on what regulated entities should consider when managing cyber resilience; and
  • the FMA’s report on Cyber Resilience which notes that an organisation’s governance arrangements must include board and/or senior management ownership and visibility of the cyber-resilience framework.

Cyber Security Programme
A dedicated security programme should be aligned to your cyber security strategy and address the risks identified in the business. While your programme will depend on the size of your organisation and its current cyber maturity, at a minimum it should reference your architecture, roadmap and controls framework. Delivery may be achieved using resources from either in-house, external or a combination.

Cyber Security Architecture
A cyber security architecture is the foundation for your cyber security programme, from which your delivery and operational teams will be clearly guided to carry out their functions in order to meet the security requirements. At minimum, a cyber security architecture should comprise clear principles and guidance on areas such as building secure IT systems and software, investing in security solutions and services, managing the risk of cloud services, partnering with third parties, or securely deploying systems and code.

Cyber Security Roadmap
A cyber security roadmap prioritises the objectives and goals defined in the cyber security strategy or programme, clearly specifying what, when, who, and how the initiatives will be delivered.

Controls Framework
A cyber framework identifies and links controls to the outcomes they are intended to achieve. The NCSC suggests the NIST Cybersecurity Framework (NIST CSF), which groups all controls into ‘Identify, Protect, Detect, Respond and Recover’ categories. The NIST CSF and other frameworks are mapped to a range of cyber control sets, such as the CIS Controls. Refer to the below section “Cyber Security Controls”, which is the first in a series of 20.

Step 6 – Measuring Cybersecurity Resilience

Accurately measuring and reporting on your cybersecurity programme is important for several reasons. It demonstrates evidence of a return on investment, provides confidence that the cyber activities being undertaken are effective and also establishes whether the business is cyber resilient.

Measuring your cybersecurity programme

Firstly, all of the controls included in a cybersecurity programme should be clearly aligned to a cybersecurity framework. As mentioned last month, The NIST Cybersecurity Framework is a widely recommended example of a comprehensive framework based on existing standards, guidelines, and practices for organisations to better manage and reduce cybersecurity risk. A good starting place for defining specific controls to include in a cybersecurity programme is the Center for Internet Security Controls. The CIS controls align closely with the NIST framework to ensure a cohesive improvement programme can be implemented.

The second step is to ensure each control can be reliably measured and reported on.  For example, the control may be to “use the latest operating system versions” and it will be measured by reviewing “the number of systems upgraded”. Controls can be evaluated using various methods such as self-assessment, penetration testing, security audits, tabletop exercises, and independent reviews. Often a combination of internal and external methods is necessary to provide confidence that the controls are adequate. However, regardless of the assurance methods used, all should strive to reference the same overall framework.

Metrics are commonly used to track the effectiveness of the cybersecurity programme. For example, an organisation might choose to define a specific time period within which all operating systems must be upgraded. It is crucial to make metrics Specific, Measurable, Achievable, Relevant and Time-bound (SMART) to consistently report on progress against these. Therefore, the example metric above could be better defined as “All work-issued employee laptops to be upgraded to Windows OS Version 20H2 by 31 January 2021”. Measuring and reporting on this metric could help a business stay within the acceptable risk tolerance levels agreed upon in the strategy.

Developing metrics that are relevant to the organisation should ideally be undertaken in the early stages of any cyber resilience effort. If these are agreed on upfront, they will act as a consistent measurement method across the organisation and highlight where investment in the programme is successful. Good metrics will also indicate where changes in strategy, investment levels, risk tolerance levels or resourcing need to be made.

Reporting on your cybersecurity programme

Reporting to key stakeholders and the wider business on the effectiveness of the cybersecurity controls selected for your organisation should be a routine task. This is made much simpler if SMART metrics are in place. Accountability for this reporting should be defined upfront as part of establishing the overall roles and responsibilities in your cybersecurity programme.

Some control assessment methods provide reporting data such as internal and external audit reports. Internal operational teams will also often produce regular reports that detail cyber incident and event details, risk identification, and near misses.

Ideally, all of these various data sources are summarised and presented as a consolidated cybersecurity dashboard that portrays information such as:

  • The current overall level of the cyber threat to the organisation
  • Any changes to the internal and external threat landscape
  • Operational cybersecurity metrics and performance against these
  • Current risk status based on control effectiveness against current threats
  • Current and planned cybersecurity activities

Presenting this view to the wider organisation will drive greater awareness of cyber risk and support for the cyber resilience initiatives underway. It also grants a wider audience the opportunity to validate or challenge the cybersecurity risk decisions being made. Comprehensively defined measurement, metrics and reporting will ultimately lead to a more robust and relevant cybersecurity programme and greater overall cyber resilience.