Cybersecurity

Creating a Resilient Cybersecurity Strategy, Part 1: The Governance Lifecycle Approach

Nick PuetzRay Zellmer
March 15, 2023
6 min read

This is part one of a three-part series about developing a cybersecurity governance lifecycle that:

  • Provides coverage while being balanced;
  • Effectively meets expectations and creates efficiency;
  • Assures all stakeholders they are protected.

This series explores the cybersecurity governance lifecycle in the context of enterprise governance and strategy to help reduce the confusion that can occur between governance functions within an organization. The next post in this series explores the roles of senior leaders and board members in cybersecurity governance. Part 3 reviews the role of the board in more detail.

Cybersecurity governance should do more than manage cyber risk. Good cybersecurity governance creates efficiencies by clarifying the outcomes expected from its processes and establishing boundaries of responsibility among cybersecurity practitioners, frontline operational areas, senior leaders and board members. Recently, numerous crises have drawn senior leaders and board members down into cybersecurity’s tactical concerns, which limits their ability to perform in their designated roles. This also impacts the cybersecurity organization’s ability to drive priorities to satisfy senior leaders and the board. Cybersecurity leaders can reverse this blurring of roles to every stakeholder’s benefit.

The cybersecurity governance lifecycle

A governance lifecycle for cybersecurity encompasses these fundamental components:

  • Drivers, ranging from internal business strategies to external regulations, which inform policy development.
  • Policies, which underpin the design of defenses: controls, processes and procedures.
  • Risk management efforts via which threats against high-value assets are identified and addressed.
  • Assurance mechanisms verify alignment between policies on the one hand and the effectiveness of defenses on the other.
  • A governance hierarchy to establish how the cybersecurity function will address findings, handle exceptions, grant approvals, provide transparency to stakeholders and oversee operations of the lifecycle so that the business is protected — while also free to pursue strategy unimpeded.

Lifecycles are iterative by definition, which suggests that one could begin at any point. The key is to establish all of these fundamental components and improve them over time. For instance, one organization might start with ideals about what their policies and procedures need to be, whereas another needs to verify that their controls align with – and provide coverage to address key risks.

In this respect, the lifecycle applies in top-down and bottom-up ways. One example of how this works is ransomware, which continues to change and to plague organizations — and to draw senior leaders and board members deep into the weeds of cybersecurity matters. Bottom-up, cybersecurity teams report on the organization’s exposure to ransomware, on likely impacts and on controls to mitigate ransomware risk. Top-down, senior leaders and directors specify their level of ransomware risk tolerance as a matter of policy.

Do the characteristics of the cybersecurity governance lifecycle just sound like good general governance attributes? They are. Principles of cybersecurity governance are easily extended to IT and enterprise governance as well.

Getting to effective governance

One indicator of effective governance is that participants are comfortable with their knowledge of what needs to be done. They know who owns the next action as new circumstances arise, and they’re confident that the function will manage risks collectively in accordance with leaders’ expectations.

The governance lifecycle is clearly broken when, for instance, the organization has all relevant policies in place but they’re still getting regulatory fines, or they’re continuing to experience risks that don’t align with leaders’ risk tolerance.

All components of the cybersecurity governance lifecycle should be in balance, and a good place to start is to understand expectations and requirements. In other words, drivers of the governance program. Drivers are expectations and requirements contributed by regulators, board members, senior leaders, competitors or third parties. The cybersecurity function builds defenses (policies, standards, procedures and controls) with its drivers in mind, then considers how the organization is managing its risks. In particular, they explore whether controls and defenses are effective in reducing exposure to threats and their cyber risk. They know this exploration is their opportunity to address gaps and strengthen defenses. The risks reduced, risks not addressed and the impact of threats to the organization are reported to senior leaders and the board to create visibility and understanding of impacts that negatively affect operations or strategic focus.

Well-executed, these steps form a cycle that results in balance: the business is not unduly bound by defenses, but is adequately protected. Appropriate cybersecurity defenses actually improve organizational efficiency, because participants understand the boundaries within which they must operate. Cybersecurity expectations are clear and once clear can often be automated and included in organizational practices and procedures. This creates efficiency for the organization.

Because the organization operates in the real world, crises will continue to arise, and cybersecurity leaders must respond. With a sound cybersecurity governance lifecycle in place, the enterprise is better positioned to ensure ample coverage and to balance cybersecurity controls with the pursuit of new strategies and opportunities.

How do I know that I have good governance?

Cybersecurity leaders can assess maturity against this governance model by asking, “How well-positioned is our cybersecurity function to address risks and threats?”

Leaders can also test how well the lifecycle operates on an ongoing basis. Assurance is a critical component of the cybersecurity governance lifecycle because practitioners, leaders and every other stakeholder need to know that the organization’s security practices are aligned with both policy hierarchy and internal and external drivers. Assurance is the foundation of security reporting, which documents and demonstrates the organization’s diligence in protecting stakeholders from undue risk.

Efficient operation of the cybersecurity governance lifecycle stems from a focus on drivers, risks and reporting whereby practitioners implement efficient, effective – even automated – ways to conduct cybersecurity activity. With well-run governance operations, the cybersecurity function trades up from responding to broken-lifecycle problems to focusing on continuous improvement and evolving to respond to new challenges. To arrive at this state, cybersecurity leaders will want to start with incremental change: learning, doing and testing in an agile way as they transform their organizations.

Finally, it’s essential that the cybersecurity governance lifecycle harmonizes with broader IT governance efforts, and enterprise governance. Governance exists to effectively manage risk in an organization. Disconnects between cybersecurity, IT and enterprise governance efforts will impede progress in achieving objectives in all three domains. The next post in this series will address approaches at the senior leadership and board levels to harmonize governance efforts.

To learn more about our cybersecurity solutions, contact us.

Nick Puetz

Managing Director
Security and Privacy

View all posts

Ray Zellmer

Director
Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
18 Apr

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More