Is all the current fuss about governance making our lives easier or better? Can we really expect new regulations to force businesses to become as secure as we think they should be?
I'm skeptical about the utility of government processes that are created to save business from itself; however, whether it's regulations like Sarbanes-Oxley or standards like COBIT and ISO 17799, the governance movement, driven by both internal initiatives and government mandates, has encouraged--if not forced--security to align itself with business philosophy, operations and objectives. Security is finally becoming part of a unified framework that shares goals, methods and vocabulary with the rest of the enterprise. Governance improves security's ability to communicate and expands the opportunity for sharing lessons learned. This is good for us and good for business.
From the security pro's perspective, this unified corporate framework promulgates two primary agendas: risk management and transparency.
Infosecurity has always been a risk management function, but security practitioners have generally approached it in their own, somewhat ad hoc, way. The unified model, built upon business needs, is process-oriented, methodically identifying all assets, determining risk significance and specifying the required level of ongoing monitoring or reassessment. But, realistically, IT audit and security, even working together, lack the bandwidth for this level of attention, hence, the concept of self-assessments by business groups.
Enabling information owners to self-assess risk puts the responsibility with the people who know the business requirements and risks best, and raises user consciousness about security. Well-managed self assessments are repeatable processes that improve with each pass as they raise the organization's security posture. To realize improvement, though, the results must be shared internally and, ideally, externally. This leads to the need for transparency.
Transparency ensures that the people responsible for the assets and business processes at risk have the information they need to anticipate, prepare for and respond to threats. The idea of sharing security information may sound counterintuitive, but infosecurity has used a similar concept for more than a century. Kerckhoff's Principle that the strength of a cryptographic implementation should be based on key length and not algorithmic obscurity has been substantiated many times over when encryption weaknesses are discovered. Shining the light of security governance into every nook and cranny of the organization significantly reduces the chances of nasty surprises. In a unified approach to risk, transparency fosters stability.
A typical example of a governance technique that brings together these concepts is the risk register, which is simply a ranked list of potential exposures within a particular business unit or risk category. Risk registers provide a control and oversight agenda, and, over time, improve an organization's ability to anticipate unwanted outcomes and mitigate exposure.
Each particular company and agency will choose its own control path, using its own mix of techniques. But under the governance umbrella, the various internal units within each organization, particularly those that are heavily regulated, will follow parallel paths. The security practitioners in these organizations are finding themselves named corporate risk managers, and that doesn't seem like such a bad risk.