Redefining Security Governance for the Modern Era
This is the second article in a series focused on how CISOs, CEOs, BODs and security teams can navigate the new security governance reality
John Morello | January 8, 2024
Security governance has existed for decades as a subset of technology governance and compliance. However, security governance has remained a slow-moving, static, and reactive practice. The old ways of thinking about governance and approaching the practice are no longer sufficient and cannot keep up with modern requirements.
A raft of new disclosure rules and privacy laws mandate that CISOs have real-time insights into cybersecurity practices and processes. Understanding when, where, and how a breach or infiltration occurred within a few days of discovery is now table stakes. As discussed in our previous article, failure to do this can result in both corporate and personal liability for CISOs.
Old Security Governance: Static, Slow, Manual
For decades, security governance lived inside general IT governance processes and moved at a similar pace:
- Reviews were semi-annual or annual
- Processes were often survey or examination-based
- Conducted annually or semi-annually alongside traditional compliance processes
- Governance policies were used to inform and configure policy engines and other technology controls
However, policies were complex to update and rarely changed. This made sense in the older “Defend The Castle” era of IT security. At the time, assets and activity inside the walls were trusted and less scrutinized, employees used fewer and more tightly controlled systems, and physical boundaries separated enterprise assets from the outside world.
Now, most CISOs recognize this dated approach to security is no longer viable. APIs punching holes in the firewalls, distributed applications running both on-prem and in the cloud, employees accessing SaaS applications for a growing portion of their workflows, and the explosion of connected devices and traffic all force CISOs to adopt a new mindset and approach.
Securing the modern environment requires “Zero Trust'' continuous verification, ubiquitous security controls, and always-on intelligence. Zero Days are more common, and threats revealed are quickly exploited in the wild. To address this change, CISOs have adopted numerous new security technologies.
Unfortunately, security governance approaches have failed to keep up. Even today, most security governance remains siloed in various playbooks, spreadsheets, communications tools, and ticketing systems. Processes for governance may be stated once but are rarely tracked, monitored, and verified. As a result, security governance often becomes a security risk in its own right. In its 2023 State of Security report, logging and security company Splunk found only 31% of respondents had a formal cyber resilience strategy and program.
According to ISACA's 2023 State of Cybersecurity report, 62% of respondents believe organizations are under-reporting attacks due to concerns over brand reputation or legal consequences. These findings demonstrate why security governance is failing to keep up.
With the recent issuance of a new rule by the U.S. Security and Exchange Commission (SEC), pressure on CISOs to improve security governance will dramatically increase. The new rule mandates disclosure of material security incidents within four days of discovery. Equally important, part of this rule, Regulation S-K Item 106, requires registered companies to “describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.” In other words, transparency and process are no longer “nice-to-haves.” Every CISO must be prepared to explain their approach directly to shareholders.
Given the tight timetable for disclosure, under the new rule, the only viable path is to automate and instrument security governance processes.
The upshot? Security governance must up its game and enter the modern age of continuous cybersecurity. What’s more, the process of security governance must change in order to match this new higher bar.
Modern Security Governance: Real-time, Automated, Transparent, Verifiable
The core definition of security governance remains the same: the practice of providing governance and oversight for security-specific processes and workflows. Modern security governance, however, goes beyond this bare-bones description.
CISOs looking to modernize their security governance should consider this checklist of four fundamental tenets:
Real-time: Faster Governance Metabolism
In a world where Zero Day attacks and ransomware continue to increase, and dangerous nation-state threat actors rapidly iterate on exploits and attack TTPs, security governance must up its metabolism to keep pace. Annual or semi-annual policy updates no longer suffice and CISOs must be equipped to quickly shift governance approaches to counter fast-moving adversaries.
Closely related, faster governance means that security teams must accelerate the processes and workflows required for proper governance, moving from paper-based and semi-manual processes to on-demand checks and integrated monitoring of governance metrics.
Automated Governance: Move from Human Error to Machine Readable
In technology, every error-prone process is shifting from over-reliance on humans to programmatic approaches. Infrastructure-as-Code, GitOps, and other operational processes have shifted manual application delivery management to scripts and automation. More advanced security teams are automating security processes by automating workflows and linking together different systems to unify security operations.
Whereas security monitoring and reporting focuses on Indicators of Compromise, and evidence of breach or exfiltration, security governance automation will need to focus on automating all the steps teams take to maintain security, investigate anomalies, and then disclose or report findings.
Naturally, security cannot be completely automated; human judgment will continue to play a central role - but - just as all other areas of operations and security (and even marketing and IT processes) are becoming automated, so too must security governance.
Transparency: Easy Reporting, Observability, and Drill-Down
When organizations wanted to audit security governance processes, traditionally, this meant poring over log files for many different systems and looking over interactions in communications channels or ticketing systems. It was insecurity through obscurity, making it impossible to quickly and efficiently execute forensic investigations.
Modern security governance requires greater transparency, making it possible even for CISOs or CIOs to drill down into individual aspects of security governance process conformance and execution. An additional benefit of transparency is simplified reporting, which can be tuned to highlight anomalies and serve to focus organizational efforts on outliers.
Verifiable Governance: Reduce Liability and Simplify Audits
With increasing regulatory scrutiny and legal risk, CISOs must be able to demonstrate and verify security governance. Many of the state laws in the U.S. leave considerable room for interpretation of “best efforts” in security response and disclosure. Verifiable security governance establishes a tamper-resistant logging mechanism to capture and safeguard governance process records. Making governance verifiable provides legal protection and simplifies auditing and compliance procedures, enabling more frequent audits of security governance practices to help organizations maintain compliance.
New Rules, New Possibilities
While this ongoing shift requires considerable organizational energy and significant change management, a faster, more automated and more transparent security governance approach empowers a raft of new possibilities. Faster metabolism and response times and ability to quickly modify governance will lead to more responsive security posture management and a rapid feedback loop.
Automation and transparency will lead to a reduction in human error, less toil and trouble for stretched security teams, and simplified analysis of security response processes. Verifiable security governance will reduce liability, build traceable processes, and eliminate gray areas where CISOs might unfairly be held liable.
Ultimately, this new approach to security governance will affect cybersecurity teams for the better and make governance less painful, more proactive, and more effective.