Though I've been approaching this issue from a sector-specific perspective
for years, lots of what's been in the news lately (and I mean lately) is intended for all technology-enabled sectors. Which pretty much means every business and every organization that intends to maintain consistent and reliable operations in the near and mid-term future.
First off, and with origins that predated the Target breach that's credited with generating most of this activity, was DOE's Energy Advisory Committee giving thumbs up in May to a paper on this topic on Security Governance. It proposes that DOE pursue potential upgrades to how energy companies organize and run themselves from a security perspective. Titled:
EAC Recommendations for DOE Action Regarding Implementing Effective Enterprise Security Governance - Outline for Energy Sector Executives and Boards, among other things, this paper lists the following "Characteristics of Effective Security Governance":
- Clearly defined responsibilities from the board of directors to senior leadership to employees
- Presence of an active Security Governance board comprised of senior stakeholders from across
- the company
- An executive owner of enterprise security: with purview over IT, OT and physical security policy designated CSO or similar
- Striving for 100% alignment with of security with business/mission
- Using measurement of key indicators to increase awareness and drive improvement (with
- maturity tools like DOE's ES-C2M2)
Then there's this from Reuters in May:
Exclusive: U.S. companies seek cyber experts for top jobs, board seats, which emphasizes the concept of getting the security chief out of IT:
While a CISO typically reports to a company's chief information officer (CIO), some of the hiring discussions now involve giving them a direct line to the chief executive and the board, consultants and executives said. After high-profile data breaches such as last year's attack on U.S. retailer Target Corp, there is now an expectation that CISOs understand not just technology but also a company's business and risk management.
The Securities and Exchange (SEC) commissioner recently added his voice as well. In
SEC Commissioner Calls on Corporate Boards to Address Cybersecurity, Commissioner Luis Aguilar expresses his hope for governance improvements this way: “One would expect that corporate boards and senior management universally would be proactively taking steps to confront these cyber-risks.”
Then, from the International Association of Privacy Professionals online journal, there was
Cybersecurity in the Boardroom: The New Reality for Directors, which included a list of recommendations, some of which have particular relevance for security governance and culture:
- Develop a high-level understanding of cyber-risks facing the company through briefings from senior management and others
- Ensure that the company has at least one committee that is responsible for overseeing and understanding cybersecurity issues, controls and procedures
- Facilitate a culture that views cybersecurity as a business issue that all employees should understand and participate in. As part of that, companies should consider employee training and awareness programs
- Include a cyber-expert on the company’s board of directors or receive regulator reports from a cybersecurity expert that are discussed at board meetings
So, as you can see, what once felt like a voice in the wilderness is now becoming a chorus. Or you could say a trickle is becoming a deluge. No matter the metaphor, will a little help from the Federal Government, and a lot more from The Real World, enterprise security governance is beginning to get the attention it deserves.
Image credit: Peter Skelton
