GRC: Be connected!: about information security governance

In information security, a key role is played by the Chief Information Security Officer (CISO). Filip De Wolf, Director of Approach Belgium, paints an in-depth picture of the many and diverse skills this person has to master. So many and diverse, that finding them all in one person would be as rare as spotting a white raven. Starting from the Wikipedia definition, De Wolf describes the CISO as a senior level executive, his success dependent on the culture and governance in the company. Reporting to the CEO often results in getting things done faster! And do manage expectations.

The required skills are executive in nature (business acumen, identify the crown jewels), policy related (policies must be realistic, understandable and in line with legal), and risk management expertise. Furthermore, people management and communication soft skills are crucial. Including being stress resistant, and willing to call your CxO anytime, even at 2am if needed (and without fear of being kicked out). And even more skills (project and change management, etc. etc.). Too many skills? His advice: start an office of the CISO, bringing together these skills. And do get people – including top management – involved through tests and exercises (without actually organizing an attack on your own company, of course).

In ‘A perspective on security & risk governance’, Karine Goris, Head of Digital Security, IT Risk & DRP at Belfius, proposes a ‘four steps’ approach to define a security governance that works in your company. Every step concludes with a ‘checklist’.

It starts with the absolute necessity of ‘know your business’. Security must understand the context of the business (strategy, operations, assets) and the risks involved, including the real risk appetite (as this determines your mandate). Do keep abreast with changing business models and related attacks.

Next you outline a framework, mapping the business risks on information security principles. Express this in your company’s ‘mission, vision and values’, followed by an information security policy, and a charter. Make sure that all of this is understandable, validated by the board and visible throughout the company.

Having set the scene, the third step relates to defining the information security process. Do your risk assessment and bring everything together as input in your processing. This processing requires technology-based controls, but also people and process controls! And this processing must show itself as being effective and efficient, through output for assurance dashboards. This allows for corrective measures.

Step four provides a reflection moment, as a step-up to continuous improvement. That is, you start all over again.

The third presentation had Prof. Georges Ataya, Solvay Brussels School of Economics & Management, explaining how COBIT performs exquisitely as a ‘digital governance framework for information security activities’. As an express train, Prof. Ataya expounded in an introductory COBIT course how this ‘mother of all frameworks’ can bring value to information security. With value creation through benefits optimization, risk optimization and resources optimization. Following a general overview, he discusses how stakeholder drivers and needs cascade down to governance and management objectives (e.g. risk optimization). He ties in how the ‘plan, build, run, monitor’ approach and the seven governance components are applicable for each governance and management objective.

Furthermore, Prof. Ataya points out that introductory documents on COBIT are available for free (PDF format): ‘COBIT 2019 Framework: Governance and Management Objectives’ and ‘COBIT 2019 Framework: Introduction and Methodology’.