Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. This blog post examines five fundamental challenges of cybersecurity governance that, while not exhaustive, are essential to establishing and maintaining an effective cybersecurity governance program.

The ISO/IEC 27001 standard, from the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), defines IT governance as, "The system by which an organization directs and controls security governance, specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks."

In an increasingly challenging threat landscape, many organizations struggle with implementing and enforcing effective cybersecurity governance. The CERT Division's research in this field derives from conducting various organizational assessments, including Cyber Resilience Reviews (CRRs), External Dependencies Management (EDM) Assessments, and Information Security Continuous Monitoring Assessments (ISCMs). The CRR and EDM assessments derive from the CERT Resilience Management Model (CERT-RMM), a maturity model for managing operational resilience and a leading resource for process improvement.

Many organizations we have assessed seem to struggle with five fundamental challenges to cybersecurity governance:

1. Cybersecurity Strategy and Goals
2. Standardized Processes
3. Enforcement and Accountability
4. Senior Leadership Oversight
5. Resources

To establish a good cybersecurity governance program, the organization must clearly define its risk management policies, strategy, and goals. Senior leadership must assess their current risk management approach prior to defining the strategy and goals for the organization's preferred state. The strategy should be a high-level document that establishes the roadmap for the organization to maintain and improve its overall risk management approach. Once the strategy and goals are finalized, an enterprise-level policy must be implemented and distributed throughout the organization.

Key components to developing an effective cybersecurity strategy include

• understanding how cybersecurity risk relates to your critical business operations
• developing strategic goals for the organization
• defining the scope
• identifying cybersecurity needs and develop objectives
• establishing key performance indicators (KPIs)
• determining resource needs
• determining risk appetite
• establishing continuous monitoring

Many organizations have processes and personnel to ensure that daily tasks are completed. However, management of specific tasks--if they're managed at all--isn't always done as effectively as it could be. Without approved, standardized processes that are repeatable, organizations cannot ensure efficiency, quality, or consistency. Consistency is critical to ensure a common understanding and management approach to risks throughout the organization. Establishing repeatable processes is a key factor to an organization's overall cybersecurity governance program. In short, a cybersecurity governance program that is ad-hoc and inconsistent will eventually lead to shortfalls. An ineffective cybersecurity governance program will lead to increased security breaches, compromises, and attacks.

Processes should be in place to enforce requirements. Otherwise, the cybersecurity program will become inconsistent, requirements will be ignored, and failure will occur. Once those with program responsibilities perceive or observe that accountability and cybersecurity governance are lacking, they will come up with their own way of doing things, which is counter to establishing standardized processes. Cybersecurity governance must be measurable and enforced, and there must be accountability for compliance across all personnel levels.

The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) recommends a tiered approach to risk management and promotes the development of security and privacy capabilities into information systems throughout the system development life cycle (SDLC). This approach can be accomplished by continuously monitoring those systems to maintain situational awareness of their security and privacy posture. Information should also be provided to senior leaders and executives to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, and other organizations. Part 2 of this series, Addressing Cybersecurity Governance Challenges, will look more deeply into the NIST tiered approach to risk management.

Because cybersecurity governance is an enterprise concern, the focus and direction for the cybersecurity program must come from the top to ensure that the process is achieving its goals. Unless senior leadership supports cybersecurity governance with a strong "tone at the top" approach, the organization's risk management efforts will most likely fail. Senior leadership must remain engaged for the lifecycle of the program. This engagement helps to ensure that the entire organization not only understands senior leadership's commitment to cybersecurity governance, but is implementing it at a high standard. ISO 27001, section five, has a list of leadership principles that are relevant in establishing an effective cybersecurity governance program:

• ensuring the information security policy and the information security objectives are established, and are compatible with the strategic direction of the organization
• ensuring information security management system requirements are integrated into the organization's processes
• ensuring that the resources needed for the information security management system are available
• communicating the importance of effective information security management, and conforming to the information security management system requirements
• ensuring that the information security management system achieves its intended outcomes
• directing and supporting staff to contribute to the effectiveness of the information security management system
• promoting continual improvements

Top management shall establish a cybersecurity policy that:

• is appropriate to the purpose of the organization
• includes information security objectives or the framework for setting information security objectives
• includes a commitment to satisfy applicable requirements related to information security
• includes a commitment to continual improvement of the information security management system
• is available as documented information
• is communicated within the organization and is available to relevant parties, as appropriate

Senior leadership must ensure adequate resources are available to meet basic cybersecurity governance and compliance needs commensurate with the organization's cybersecurity strategy and goals. Funding must be allocated to the highest priorities to secure information and information systems, adequate for the levels of risk. Resourcing must also include dedicated funding for qualified personnel and their training. In addition, resources must allow for the procurement of sufficient tools for adequately measuring KPIs as well as maintaining repeatable processes.

There's no silver bullet for cybersecurity governance. It starts with senior leadership, but ultimately everyone plays a role. Part 2 of this blog will discuss courses of action to effectively address the five fundamental challenges of cybersecurity governance. In the interim, review CERT-RMM, NIST Special Publication 800-37, and ISO/IEC 27001 for further information on risk management and cybersecurity governance. While not exhaustive, these resources are a good start for understanding and establishing a cybersecurity governance program. You can also send us your thoughts on cybersecurity governance by emailing info@sei.cmu.edu.