The other week I had the good fortune to speak on a webinar about IT risk management, and specifically how compliance and security teams should take more of a risk-focused approach to cybersecurity, rather than a compliance-focused approach.
I’d like to unpack some of that today, because the challenges within a risk-focused approach are becoming more relevant, to more organizations, with every passing day.
Our big point was that cybersecurity threats now evolve so quickly, and are so interwoven into daily business operations, that a business can no longer define cybersecurity as “keep the bad guys out” and then call it a day. Nor can you focus solely on meeting the demands of privacy and security regulations, because you’d be so mired in the administrative minutiae of compliance that you might miss emerging or strategic risks — and that’s the stuff the board actually worries about, if we’re being honest.
To meet the moment, businesses need to reframe cybersecurity as a matter of IT governance. That is, you need to consider the organization’s mission-critical business processes, how technology supports those processes, and the biggest risks to your use of that technology. Then structure your cybersecurity procedures and controls to thwart those biggest risks, so the mission-critical processes can continue without disruption.
For an example of what I mean, look at the tale of the water department for Oldsmar, Fla. On Feb. 5, attackers exploited remote-access software the department was using to gain unauthorized access to its control center. The attacker then increased the amount of lye flowing through Oldsmar water pipes from 100 parts per million (a perfectly safe level, used to clean pipes) to 11,100 ppm — a poisonous amount, for a community of 15,000 people.
The good news is that an employee was watching the water department’s control system at the time, and saw the levels changing in front of his eyes; the employee immediately lowered the levels back down, and the public was never in any danger.
What alarms me, however, is that the water department had met its compliance obligations. It had performed a federally mandated cybersecurity risk assessment three months ago, and was in the midst of implementing some improvements. But cybersecurity compliance standards are much more lax for water districts than, say, the electrical grid — so attackers still had an opening, which they tried to exploit.
Risk Management vs. Compliance
The issue today is that cybersecurity risks are evolving faster than compliance standards can keep pace. So as burdensome as privacy and security regulations can be, CISOs and IT risk managers do have bigger fish to fry. They need to approach cybersecurity thinking about how to manage their IT assets — the apps, the data, the devices, the networks; the whole shebang — so those assets can keep supporting the company’s business processes, no matter what risk comes along.
After all, that’s how the board, senior executives, and operating units in the First Line of Defense view the matter. They define business objectives, and they want to know that the company’s technology and IT assets can support the company’s pursuit of those objectives.
Put more plainly: when someone on the board or in business operations utters “cybersecurity,” he or she doesn’t interpret the word to me “to be in compliance with applicable privacy and security regulations.” The person interprets it to mean “our IT stuff works and other people can’t somehow use it to muck up our operations.” CISOs, compliance officers, and IT risk managers need to meet the rest of the enterprise on that ground.
Does that still include compliance issues? Sure, because “other people using it to muck up our business” can include regulators and civil litigants hauling you into court over a privacy breach. To avoid that predicament, “our IT stuff works” should implicitly include “according to applicable regulations.”
But let’s not kid ourselves that the primary risk to your enterprise is the technology failing in a way that hamstrings your business objectives. That’s what worries the board. That’s what the board wants to hear about when the CISO briefs it on cybersecurity. So let’s rephrase our main point today as a series of questions:
- What are the organization’s mission-critical business processes?
- How does technology support those processes?
- What are the biggest risks to employees’ use of that technology?
- How do your cybersecurity procedures and controls work to thwart those biggest risks, so the mission-critical processes can continue without disruption?
That’s how cybersecurity and IT governance are, in the modern business world, essentially the same thing.
Who’s in Charge of This?
Back to the webinar last week. One of the listeners asked an excellent question: If IT governance is so important for cybersecurity and business objectives, to whom should the head of IT governance report?
Let’s even go one step further: Who should the head of IT governance actually be?
I would argue that in today’s world, the head of IT governance should be the CISO. If IT governance and information security are the same thing, they should be managed by the same person. (Discomforting statistic: according to a survey released last month, only 29 percent of CISOs oversee IT risk.)
Look at the situation as follows. Twenty years ago, a corporation’s most important IT assets were a bunch of rack servers stored in an IT closet at the end of the hall. You could run Ethernet cables to fixed employee workstations, and “security” meant maintaining a firewall to keep other parties away from those servers.
Today, most companies use cloud-based vendors to store and process your data. Employees and third parties access that data over whatever wi-fi network they can find, using software apps also provided over the cloud, with computing devices they might own themselves, while working at home or lord knows where.
So what’s the true IT asset in that picture? It’s not the rack server, since your company no longer owns one. It’s not even the employee’s tablet or phone, because who cares if those things get stolen? The company can reimburse the worker for, like, $400.
What matters is your ability to govern access to the data. That’s the IT asset: your ability to keep others from using that stolen iPad, or stolen access credentials. The asset is your collection of policies and procedures to evaluate relationships, study data usage patterns, raise alarms about suspicious behavior, provision or de-provision user access, and so forth.
That’s IT governance in the modern world. It also sounds a lot to me like IT security, because all I’ve talked about for the last five paragraphs is securing the data.
So when we talk about cybersecurity, we’re really talking about the need to manage IT risks in the modern world. And when we talk about those risks, it’s clear that strong IT governance is what gets them resolved to the board’s satisfaction.
Something to think about as you prepare that next report to the board.