mp mitga 1.1
DESCRIPTION
Information security governance is a relative new area it doesn't always receive the required attention such as business support, management support and eventually the necessary budgets to keep Mr Evil out. The reasons why information security is not receiving the required attention are plenty, but a main issue that it is failing to get on the agenda could be that the upper levels of an organisational structure do not receive the information required to get their attention, or that companies are risk taking instead of risk averse or it seems impossible to identify value for the business. Security is about avoiding something, where a new application is about adding functionality in order to increase efficiency, production etc… Unfortunately, security is still seen as a business disabler.TRANSCRIPT
1
Master Project
Information Security Governance: Awareness at the Board of
Directors and Executive Committee
Author: Koen Maris
Promotor(s): Wim Van Grembergen, Steven De Haes
2
Table of Content
Table of Content ......................................................................................................................... 2
Abstract ...................................................................................................................................... 4
Definitions .................................................................................................................................. 5
Problem statement and research questions ................................................................................. 6
Methodology .............................................................................................................................. 8
Identification process .............................................................................................................. 8
Awareness survey: .................................................................................................................. 8
Third party surveys: ................................................................................................................ 9
Literature: ............................................................................................................................. 10
Frameworks, methodologies and models ............................................................................. 11
ISO 2700x ......................................................................................................................... 11
COBIT 5 ............................................................................................................................ 11
ISACA, Business model for Information Security ........................................................... 12
ISC2, Common Body of Knowledge ................................................................................ 13
NIST 800-53 ..................................................................................................................... 13
Background on master project .................................................................................................. 14
Information security governance definitions ............................................................................ 16
Definition from NIST on information security governance : ............................................... 16
Definition from ISACA (2006) ............................................................................................ 17
Information Security Governance at the Board of Directors ................................................... 18
Leadership, strategy and value ............................................................................................. 19
Leadership ......................................................................................................................... 21
Strategy ............................................................................................................................. 23
Enabling value .................................................................................................................. 24
Measurement, monitoring and audit ..................................................................................... 25
Risk management ................................................................................................................. 27
Identify information security leaders .................................................................................... 29
Information Security governance practices at the Executive Committee ................................ 31
Information Security framework .......................................................................................... 33
Chief Security Officer/Chief Information Security Officer ................................................. 35
Information Security Steering Committee ............................................................................ 36
Implementation of information security ............................................................................... 39
Monitoring and assessments ................................................................................................. 41
Awareness and communication ............................................................................................ 42
Conclusion ................................................................................................................................ 46
3
Board members ..................................................................................................................... 47
Executive management ......................................................................................................... 48
End note .................................................................................................................................... 50
Table of Figures ....................................................................................................................... 51
Bibliography ............................................................................................................................. 53
4
Abstract
Corporate governance and in more specific governance of enterprise IT are important factors
in building solid companies that require agile strategies. Difficulties in alignment remain
present as not every boardroom recognises the importance of its information technology
infrastructure in place at the company.
The rapid growth of emerging Internet technologies forced companies to address information
security. In the early days companies looked at information security as a solely technical
matter, different complex technologies that came with high expenses were available to
mitigate risk factors related to the use of the Internet. In a second era, security management
practices were integrated in the company structure. The objective of this function is mostly
about setting a formal statement by means of policies, standards, procedures and guidelines in
order to maintain an adequate level of security. It provides a structured way of organising the
information security landscape and monitors the enterprise to keep it in compliance with the
integrated policies. Such a formal statement expresses the importance on information security
by the executive management and/or the board.
Since information security governance is a relative new area it doesn't always receive the
required attention such as business support, management support and eventually the necessary
budgets to keep Mr Evil out. The reasons why information security is not receiving the
required attention are plenty, but a main issue that it is failing to get on the agenda could be
that the upper levels of an organisational structure do not receive the information required to
get their attention, or that companies are risk taking instead of risk averse or it seems
impossible to identify value for the business. Security is about avoiding something, where a
new application is about adding functionality in order to increase efficiency, production etc…
Unfortunately, security is still seen as a business disabler.
5
Definitions
This chapter explains the terms and definitions used that could cause doubt or
misinterpretation.
Awareness: knowledge or perception of a situation or fact (Oxford dictionary)
Security awareness: Security awareness is the extent to which staff understands the
importance of information security, the level of security required by the organisation and their
individual security responsibilities. (Standard of Good Practices for Information Security,
ISF)
Risk appetite: The amount and type of risk an organization is willing to accept in pursuit of
its business objectives.
Risk tolerance: The specific maximum risk that an organization is willing to take regarding
each relevant risk.
ISMS (information security management system): "An information security management
system (ISMS) is a set of policies concerned with information security management or IT
related risks. The idioms arose primarily out of BS 7799."(Wikipedia, 2013)
CRO: Chief Risk Officer
CSO: Chief Security Officer, covers all security aspects those outside IT as well
CISO: Chief Information Security Officer, in charge of information related security, not
physical aspects
6
Problem statement and research questions
Information security is often associated with technology, which makes it difficult to get it on
the radar of the executives and board members. Anything that is technology related is by
default classified as boring, not interesting, expensive and never works for exec's and board
members. The omnipresence of information technology makes it the lifeblood of most
organisations. It would difficult to imagine a company not relying on information technology,
perhaps for a short period of time it could survive, but in the long run it would not be
sustainable. And in the most recent years it would be even more difficult to think in business
terms without being connected to the Internet. Imagine that your company would not have a
working email system for a few days, or no possibility to connect to a branch office because
the Internet service is not working properly. This dependence on technology and the Internet
will only increase in the upcoming years due to cloud technologies, VOIP, BYOD etc…
Julia H. Allen (2007) states, that the interest of the decision makers in today's organisations is
not proportional with the dependence on technology and their related information security
issues. Executive managers, business managers and even the members of the board do not
necessarily understand the complex nature of information security. As a result little interest is
shown in the matter and in a worst case security is considered an expense or a discretionary
budget-line item. Worthwhile to see how companies' board and executive management have
the knowledge or import the knowledge in their working environment to cope with
complexity and rapid changing information security technology.
It appears that information security staff and business managers are too far out of sync in
order to define appropriate solutions offering a balance between risk and business value. In
any case risk based management has still its merits, but like information technology, the
information security needs to align with business requirements and the risk appetite business
7
is willing to take. Those benefitting from security and those responsible for security have
different interests and different goals. Higher risk appetite becomes the reason to deny
additional budgets to information security which indirectly contributes to the idea that
management knows they need to address security but they don't for various reasons.
Research questions:
Which level of information security governance “awareness” is present at the level of Board
of Directors and executive management in a contemporary enterprise?
Which practices (structures, procedures) have been identified?
To what extent are these practices considered effective?
Which practices are well adopted in today's enterprise?
What are the main drivers for implementing these practices?
Conceptual model:
8
Assumptions:
In today's contemporary enterprises there is some awareness level at the Board of Directors
and Executive Committee. However a clear enterprise wide strategy on information security is
often not present and in the best case immature if present. Resulting in limited financial
support, lower budgets and an ad-hoc approach when it comes down to information security.
Methodology
The research in this paper is performed on available literature, both academic and from the
business environment, survey's publically available done by academics and consultancy firms
and a survey I've performed among a small number of board of directors and executive
managers. The empirical findings come from public available reports and surveys performed
by mayor consultancy firms and some renowned academic institutions.
Identification process
In all consulted literature there were common practices present which one might expect from
board members and executive management when it comes down to information security, these
are used as the basis in the identification process.
Board of Directors have some tasks, such as leadership, which are not a one to one mapping
against a well-known procedure and/or structure as found in most literature. In such a case
there are multiple parts to explain the practice with the relevant information and statistics in
order to have some insight on how well it is adopted and how effective its usage is.
Awareness survey:
A custom developed survey containing some basic governance practices inspired on the 33
practices from De Haes & Van Grembergen (2008) and the most important ones are
9
confirmed by a group of security professionals that responded on a survey. The target
audience for the survey enquiry is based on:
Board members with different backgrounds (different industries)
Executive management, with different job functions
Mid management, typical team leaders, project manager non-executive management
Administration, consultants, business architects, administrative personnel
Together with peers from the information security field we decided to limit the survey to the
most important practices. Peers are asked to identify at least 3 practices that are key in
establishing a successful information security program.
We concluded that the most important practices to measure are( in order of importance):
An information security responsible in the company
A formal information security policy in place
Communication of information security across the company
Risk appetite statement
Third party surveys:
A collection of surveys conducted by mayor consultancy firms is used addressing information
security management/governance, risk management/governance, security reporting on
breaches etc… These reports contain surveys conducted by these large consultancy firms,
with a large respondent's base varying different types of industries, different levels of
hierarchy and different types of job functions. Most of the surveys come in a form of official
report where statistics are used to underpin the end conclusion present in the report.
PriceWaterhouseCoopers: Global Internet Ssecurity Ssurvey 2014
Respondents: 9600 executives from 115 countries, cross industry
10
PriceWaterhouseCoopers: Information Security Breaches Survey 2012
Respondents: 447 organisations, 46% >500 employees
Ernst & Young: Fighting to close the gap, 2012, cross industry
Respondents: 1836 executives from 64 countries, cross industry
Jody R. Westby Carnegie Mellon, Governance of Enterprise Security 2012
Respondents: 108 board or senior executives from Forbes Global 2000 companies
Half of the respondents are board members, and the other half are non-director senior
executives. Twenty-four percent (24%) of the respondents are board chairs and 44%
are on Audit, Governance or Risk committees. Jody R. Westby (2012)
Deloitte: Global Risk Management Survey 2011
Respondents:131 financial institutions
Deloitte: State governments at risk: a call for collaboration and compliance 2012
Respondents: 50 CISOs (48 states and two territories) USA only
Tripwire-Ponemon: The state of risk based security 2013
Respondents: 1,320 professionals in IT security, information risk management and IT
operations in the United States and the United Kingdom
Literature:
Academic publications, books and papers released by consultancy firms, vendors of security
products and information security related organisations are included to gather information on
information security governance practices, the drivers behind information security
governance, the practices used and to see how effectiveness is measured.
11
Frameworks, methodologies and models
The frameworks, methodologies and models used in this paper have similar approaches in
addressing information security. The similar approaches, practices and structures, identified
are used as the starting point to identify the practices described in this paper.
ISO 2700x
The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27k' for
short) comprises information security standards published jointly by the International
Organization for Standardization (ISO) and the International Electrotechnical Commission
(IEC). The series provides best practice recommendations on information security
management, risks and controls within the context of an overall information security
management system (ISMS), similar in design to management systems for quality assurance
(the ISO 9000 series) and environmental protection (the ISO 14000 series).
The series is deliberately broad in scope, covering more than just privacy, confidentiality and
IT or technical security issues. It is applicable to organizations of all shapes and sizes. All
organizations are encouraged to assess their information security risks, then implement
appropriate information security controls according to their needs, using the guidance and
suggestions where relevant. Given the dynamic nature of information security, the ISMS
concept incorporates continuous feedback and improvement activities, summarized by
Deming's "plan-do-check-act" approach, that seek to address changes in the threats,
vulnerabilities or impacts of information security incidents. (Wikipedia, 2014)
COBIT 5
COBIT 5 helps enterprises create optimal value from IT by maintaining a balance between
realizing benefits and optimizing risk levels and resource use. The framework addresses both
business and IT functional areas across an enterprise and considers the IT-related interests of
12
internal and external stakeholders. Enterprises of all sizes, whether commercial, not-for- profit
or in the public sector, can benefit from COBIT 5.
In this paper the emphasis of COBIT is put on risk and information security, in parallel to the
standard COBIT enabler processes guide I've consulted COBIT 5 for Information Security
and COBIT 5 for Risk Management.
ISACA, Business model for Information Security
The Business Model for Information Security provides an in-depth explanation to a holistic
business model which examines security issues from a systems perspective. Explore various
media, including journal articles, webcasts and podcasts, to delve into the Business Model for
Information Security and to learn more about how to have success in the IS field in today's
market. (ISACA, 2010)
13
ISC2, Common Body of Knowledge
The (ISC)² Common Body of Knowledge is a taxonomy - a collection of topics relevant to
information security professionals around the world. The (ISC)² Common Body of
Knowledge establishes a common framework of information security terms and principles
which allows information security professionals worldwide to discuss, debate, and resolve
matters pertaining to the profession with a common understanding, from Shon Harris (2003).
I've not used this book actively but a great deal of my knowledge on information security
management started by getting the CISSP credential that I've obtained in 2004. Therefore I
consider it as important in this paper.
NIST 800-53
NIST Special Publication 800-53, "Recommended Security Controls for Federal Information
Systems and Organizations," catalogs security controls for all U.S. federal information
systems except those related to national security. It is published by the National Institute of
Standards and Technology, which is a non-regulatory agency of the United States Department
of Commerce. NIST develops and issues standards, guidelines, and other publications to assist
federal agencies in implementing the Federal Information Security Management Act of 2002
(FISMA) and to help with managing cost effective programs to protect their information and
information systems.(Wikipedia, 2013)
14
Background on master project
Information security and cyber security are since a few years hot news items, it is impossible
to think that a day goes by without a high profile security incident in the news. These
incidents contributed to an information security approach that is addressed in an ad-hoc
modus. The information security people of today are the firemen of your network boundaries
and systems. They keep your house in an acceptable shape when the fire breaks loose. But
these firemen should be the last resort to rely on. In our society we try to avoid calling these
firemen and we do not rely on them to monitor and warn us when something happens since
this is a shared responsibility between the government, society (you and me) and the firemen.
Information security in the corporate world requires to be treated as a shared responsibility
too in order to obtain an adequate level of acceptance, success and financial support. The
board and executive management have to keep oversight and implement rules and policies.
Staff should apply the rules and inform, whenever required, the firemen upon detection of
anomaly. Like in our society controls have to be put in place to ensure the rules and policies
are lived by.
The biggest issue to achieve this yet so seemingly easy solution is that information security
and technology change at high velocity. Something secure today could suffer a zero-day
exploit by tomorrow and a day after it could be a gaping hole in your fortress. Preparedness is
key; therefore information security should be on the board agenda's and integrated into the
corporate governance process. The difficulty remains in aligning the triangle of business, IT
and information security.
15
Some facts and figures from Kaspersky (2013)
Maintaining information security is the main issue faced by company’s it management
In past 12 months, year 2012, 91% of the responding companies had at least one
external incident and 85% have reported internal incidents
A serious incident can cost a large company an average of $649,000; for small and
medium-sized companies the bill averages at about $50,000.
A successful targeted attack on a large company can cost it $2.4 million in direct
financial losses and additional costs.
For a medium-sized or small company, a targeted attack can mean about $92,000 in
damages – almost twice as much as an average attack.
Information leaks committed using mobile devices – intentionally or accidentally –
constitute the main internal threat that companies are concerned about for the future.
The seriousness of threats, the costs and the high volume of attacks show that information
security is to be taken seriously by any organisation, whether small or big. Not speak about all
privacy and data related issues such as we experienced in 2013 by the leakage of confidential
data of Edward Snowden. It also pinpoints that the internal threat is becoming increasingly
more important.
16
Information security governance definitions
Currently there is myriad of different definitions for an identical idea or concept.
Unfortunately there is no silver bullet that answers it all. This chapter outlines some
definitions taken from respectable bodies across the globe, though this list is not exhaustive.
Some of the key goals of an information security programme are to protect the company's
assets, reduce risk, set rules and provide compliance with law and regulation. In other words,
it protects assets against theft, misuse, unavailability, unauthorised disclosure, tampering,
legal liability etc...
A successful information security governance approach demands full integration into the
corporate strategy and enterprise governance, aligned with IT and contributes to the overall
success of the company from ISACA, guidance for board and directors (2006). The
omnipresence of information security in IT demands a new culture, transforming from the
buying a solution approach to a security aware culture in today's enterprises. By setting the
tone at the top, a company can transform its current culture into an information security aware
environment. There are a rife of frameworks and standards available to provide guidance in
this complex task to cover all information security related subjects a company has to deal with
such as the ISO 27001(2) ISMS framework, COBIT for security, NIST 800-53 publication
etc…
Definition from NIST on information security governance :
Information security governance can be defined as the process of establishing and
maintaining a framework and supporting management structure and processes to provide
assurance that information security strategies are aligned with and support business
objectives, are consistent with applicable laws and regulations through adherence to
policies and internal controls, and provide assignment of responsibility, all in an effort to
manage risk.(NIST,2006)
17
Information security governance is more than just setting tone and strategy, to receive buy-in
from the Board of Directors and senior management one needs to be able to express some
potential benefits in apply good information security governance.
Definition from ISACA (2006)
An information security governance framework generally entails:
A comprehensive security strategy explicitly linked with business and IT objectives
An effective security organisational structure
A security strategy that talks about the value of information protected and delivered
Security policies that address each aspect of strategy, control and regulation
A complete set of security standards for each policy to ensure that procedures and
guidelines comply with policy
Institutionalised monitoring processes to ensure compliance and provide feedback on
effectiveness and mitigation of risk
A process to ensure continued evaluation and update of security policies, standards,
procedures and risks
18
Information Security Governance at the Board of Directors
Understanding the role of the Board of Directors in information security governance requires
one to have a look on how it interacts with corporate governance and what tasks do the Board
of Directors exercise in that context.
The mandate of a director of the board is dual, from Stanford (2011):
Advisory: consult with management regarding strategic and operational direction of
the company.
Oversight: monitor company performance and reduce agency costs
This translates to a set of responsibilities and practices exercised by the board and executive
management with the
goal of providing
strategic direction,
ensuring that
objectives are
achieved,
ascertaining that
risks are managed
appropriately and
verifying that the
enterprise’s resources
are used responsibly, from ITGI/ISACA (2003).
Risk management is one of the key elements in Information Security Governance, defining
risk and setting the tone by defining the risk appetite level is one of the practices required.
Additionally, information security governance requires strategic direction and impetus. It
0%
20%
40%
60%
Regularly
Occasionaly
Rarely or never
Figure 1, Does your board regularly, occasionally, rarely or never complete the
following actions?
Jody R. Westby, 2012
19
requires commitment, resources and assignment of responsibility for information security
management, as well as a means for the board to determine that its intent has been met.
ISACA (2006) states, experience has shown that the effectiveness of information security
governance is dependent on the involvement of senior management in approving policy, and
appropriate monitoring and metrics coupled with reporting and trend analysis.
The literature research results in the following list of responsibilities and/or tasks expected to
be taken up by the Board of Directors in the context of Information Security Governance.
Risk Management, setting the tone by defining the risk appetite
Identify information security leaders, provide resources and support
Direction, strategy and leadership, put information security on the board's agenda
Ensure effectiveness of the information security policy
Integrate a strategic committee
Staff awareness and training
Measurement, monitoring and audit
Are these practices also exercised by the board members, to what extent are these considered
effective?
Leadership, strategy and value
According to S.H von Solms/R. von Solms (2009), information security is a direct corporate
governance responsibility and lies squarely on the shoulders of the Board of a company. It
emphasizes the fact that everybody in the company has an information security responsibility
– from the Chairperson of the board to the newest junior secretary.
20
ISACA (2006) states that information security is a top-down process requiring a
comprehensive security
strategy that is explicitly
linked to the
organisation’s business
processes and strategy.
Ana Dutra (2012) finds
that board composition is
a serious impediment, if
not done right. Today’s
challenges require new
perspectives and skills.
But boards often lack the
ability to objectively
evaluate their makeup to determine if they have the right people and skills at the table.
Jody R. Westby (2012) discovered in a recent study that boards still underestimate the
importance of the relatively new expertise domains such as Information technology and risk
and security. However the report indicates progress, 27% of the respondents indicated that
they their board had an outside director with cyber security experience, up from 18% in 2010.
And 64% of the respondents think it is very important to have risk and security experience
when hiring a new director.
Although the importance on risk and security knowledge seems fair it is still low compared to
skills like management and financial knowledge especially when looking on the importance
and the dependence on technology and the Internet.
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Very importantor important
Somewhatimportant
Not important
Don't know
Figure 2, How important is each type of experience when recruiting new
directors?
Jody R. Westby governance of Enterprise security
21
Leadership
According to ISACA (2006) information security governance consists of the leadership,
organisational structures and processes that safeguard critical information assets. Though, in
this paper the focus lies on the outcomes expected by the ISACA report as they show results
of leadership. The expected results are:
Risk management by executing appropriate measures to manage and mitigate risks and
reduce potential impacts on information resources to an acceptable level
Resource management by utilising information security knowledge and infrastructure
efficiently and effectively
Performance measurement by measuring, monitoring and reporting information
security governance metrics to ensure organisational objectives are achieved
To achieve the outcomes a company requires some concrete practices. Some identified
practices are almost a one to one mapping with the outcomes where others are practices that
provide input to obtain the expected outcome.
Review of annual budgets
Fifty-three percent (53%) of respondents said their board rarely or never reviewed and
approved annual budgets for privacy and IT security programs, finding by Jody R.
Westby (2012).
Review roles and responsibilities
Fifty-six percent (56%) of respondents indicated their board rarely or never reviewed
and approved roles and responsibilities of personnel responsible for privacy and
security risks, finding by Jody R. Westby (2012).
Review of top level policies
Forty-one percent (41%) of respondents said their board rarely or never reviewed and
22
approved top-level policies regarding privacy and security risks, finding by Jody R.
Westby (2012).
Leadership of CEO, president or board
23% of the respondents see the lack of leadership as an important obstacle in the
overall strategic effectiveness of their organisation's security function, from
PriceWaterhouseCoopers (2012)
Establish a risk committee of the board of directors
Only 28% of the respondents reply to have a risk committee with board members
included, according to Deloitte (2011)
Add board members with risk experience
19% of the respondents have risk experienced members added or present in their
current board according to Deloitte (2011)
Many boards across the world are starting to get information security governance into their
activities. However these practices are not widely adopted yet and there is limited or no
information on how well these are integrated and to what extent can these be considered
effective. Perhaps the only part of the practices that has a head start is by far risk management
and/or risk governance which is traditionally covered in order to protect a company from
financial risks etc… Boards are actively addressing risk management, but there is still a gap in
understanding the linkage between cyber security risks and enterprise risk management,
according to Carnegie Mellon Univeristy-Jody R. Westby (2012).
The leadership levels in a company regarding information security are still on the lower side.
The fact that almost half of the respondents do not even review budgets and that more than
40% of the respondents are not reviewing the official statement set in the form of a policy is
extremely cumbersome and worrying.
23
Strategy
Defining a strategy and setting direction is a crucial aspect in any governance domain,
whether information security, risk or any other. The majority of the literature consulted for
this thesis states that any information security strategy needs to be aligned with the business
strategy in order to achieve some results, acceptance and the required budgets adequate to
execute the strategy. Similar to the leadership chapter, the results are focussed on the expected
outcomes according to the ISACA document "guidance for Board of Directors and Executive
management".
Strategic alignment of information security with business strategy to support
organisational objectives
Performance measurement by measuring, monitoring and reporting information
security governance metrics to ensure organisational objectives are achieved
Value delivery by optimising information security investments in support of
organisational objectives
Aligning the business strategy and the information security strategy are key factor in good
governance practices. A study conducted
by PriceWaterhouseCoopers (2014) states
that 68% of the respondents assume their
information security strategy is aligned
with the business needs. However a
similar survey conducted in 2012 by Ernst
& Young say that only 42% have their
information security strategy aligned with their business strategy.
About 54% of the respondents state that they discuss information security topics in the
boardroom on a quarterly basis or even more frequently. However the remaining 46% never
0% 20% 40% 60% 80%
Fully aligned
Partitially aligned
Figure 3, Does your function meets the organisational
requirements?
EY, Fighting to close the gap, 2012
24
or almost never discuss the topic in the boardroom. Nonetheless, many respondents feel that
the information security function is not meeting up to the organisational need, a minority
thinks/feel they are fully aligned.
Note: there is in fact one year difference between both reports, the PriceWaterhouseCoopers
report is released in 2014 with data based on 2013, the EY report contains data and
conclusions from 2012.
According to Tripwire-Ponemen (2013) improvements in commitment to risk-based security
management haven’t translated to a wider acceptance for a strategic approach to risk
management among organizations. Nearly half of the respondents describe their risk-based
security management approach or strategy as ‘non-existent’ or ‘ad hoc’ (46% U.S. and 48%
U.K.) In contrast, only 29% (U.S.) and 27% (U.K.) have a risk-based security management
strategy applied consistently across the enterprise.
The fact that leadership practices regarding information security are relatively poor translates
into the strategy and alignment part. There is some level of alignment however there is a lot of
room for improvement.
Enabling value
It is no secret creating business value when it comes down to information security seems for
many information security practitioners an impossible task today. I will not go into detail on
the reasons why or why not, since there is
little to no academic information to be found.
However in order to create something that is
perceived as valuable to business there must
be some alignment or at least interest from
both groups to cooperate on the issue.
0% 20% 40% 60%
Significant…
Moderate…
Little involvement
No involvement
Figure 4, Organizational involvement in aligning risk-
based security management with business objectives
Tripwire,2013
25
Undoubtedly one of the biggest challenges is to obtain some organisational involvement in
aligning risk based security management with business objectives as shown in Figure 4.
When measuring value in regard of information security it is mostly looked at in terms of
reduced negative consequences from security incidents generated from investments in control
objectives according to Royal Institute of Sweden (2011). In that regard it remains an almost
impossible task to convince business that security is a value enabler. Providing metrics is
often an argument used, however a study from Tripwire-Ponemon (2013) states the most
obvious remark in that respect, 50% of the respondents in the USA and UK say that the
information is too technical to be understood by non-technical management. The same study
reveals that 40% of the respondents only communicate with senior management when there is
an actual incident. This is by far the worst time frame to start a constructive and positive
dialogue with senior management.
Measurement, monitoring and audit
An important aspect in governance is monitoring and measuring performance, security, and
finance in fact any
topic deemed
important for the
good functioning of
the business. When
looking into COBIT
5 many processes
have an output to the
process MEA02
(Monitor, Evaluate
68%
64%
56% 48%
35%
27%
19%
15%
15% 14% 5% 4%
Assessmentsperformedby internalaudit function
Internal self-assessments by IT orinformation securityfunctionAssessment byexternal party
Monitoring andevaluation of securityincidents and events
In conjunction withthe external financialstatement audit
Benchmarking againstpeers/competition
Evaluation ofinformation securityoperationalperformanceFormal certification toexternal securitystandards
Figure 5, How does your organisation assess the efficiency and effectiveness of
information security?
EY, Fighting to close the gap, 2012
26
and Assess the system of internal control) which defines the importance of good monitoring
capabilities to achieve governance. A company has an arsenal of possibilities to monitor and
assess. A well-known monitoring tool is audit, whether internal or external. Undoubtedly any
company that has a reputation to defend has some form of internal audit and performs on a
regular basis an external control; mostly these actions are driven by compliance standards,
industry regulations or by law. In the field of information security a company can add
additional controls such as self-assessments, monitoring incidents; monitoring costs etc…
these help a company in assessing the efficiency of their information security strategy.
Internal audit is by far the most important tool used to assess the performance and reporting
on progress to achieve the
organisational objectives. For
a board of a company audit
and an audit committee are
an important reporting line to
receive an objective status on
how the company is
performing and what the
status is on different aspects of governance. Though, only a limited number of companies
have a strict segregation
between the risk
committee and the audit
committee which creates a
conflict of interest. Only
8% of respondents said
their boards have a Risk
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
2008 2010 2012
Figure 7, Seperate risk committee and audit committee
Jody R. Westby, 2012
Figure 6, Subject actively addressed by the board
Jody R. Westby, 2012
0% 20% 40% 60% 80% 100%
Responsibilities of senior…
Risk management
IT operations
Computer and information…
Mergers and acquisitions
Long term strategy & operations
Vendor management
Compliance
68%
91%
29%
33%
92%
95%
13%
92%
27
Committee that is separate from the Audit Committee, and of this 8%, only half of them
oversee privacy and security. Audit Committees should not be responsible for establishing
privacy and security programs and then also auditing them. This is an obvious segregation of
duties issue at the board level, according to Jody R. Westby (2008). But as shown in Figure 6
the situation is improving, companies are separating the duties into different committees. As a
consequence the Audit Committee responsibility for oversight of risk dropped from 65% in
2008 to 35% in 2012, from Carnegie Mellon University -Jody R. Westby, (2012).
Risk management
Boards play a crucial role in risk oversight. Directors at corporations are encouraged to
embrace entrepreneurial risk and
pursue risk-bearing strategic
operations, according to Matteo
Tonello (2008). Apart from
economical stance the main driver
for Enterprise Risk Management
is compliance with regulatory
bodies and legal constraints.
Though a useful risk approach delivers advantage for any company and avoids abrupt
business interruption. Information risk
management does not differ that much, it is
mostly driven due to regulations. As shown in
Figure 7, up to 91% of the companies have a
form of risk management. Sabarnes-Oxley
contributed to move companies to address risk 0% 20% 40% 60% 80% 100%
Strongly Agree
Agree
Neutral
Disagree
Strongly disagreeExec's
Board
Figure 8, I know the acceptable risk level in my daily
duties. (You know the acceptable risk level you're
allowed to take during your daily tasks.)
Koen Maris, 2013
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
2008 2010 2012
Figure 9,Enterprise Risk Management program/structure in place
Jody R. Westby, 2012
28
whether business or information related. Whether these approaches have been efficient
remains difficult to measure, the recent years showed that too many times companies have
taken too much entrepreneurial risk and jeopardising the entire enterprise and perhaps even
one of the causes of the economic turmoil the world is in. It might look a problem only within
the financial sector but other industries suffered as well because they did not take into account
the risk of bankruptcy for big institutions. When it comes down to information security we
can see similar events, the risk any enterprise faces when using the modern technologies seem
to be misjudged or the risk appetite set is insufficiently articulated and/or too high. This gives
attackers an edge and it gives them a great arsenal of attack vectors since outdated and well-
known attacks are still present and used.
Performing a risk assessment is important in mitigating risks but the success depends on other
important factors in the risk management approach such as defining risk appetite statement
and has it approved by the board of directors. In the context of Information Security very little
information is available. Risk appetite is known by the board and executive members, there is
a slight difference when looking at Figure 8. However it seems that the communication is
about it is trailing behind. If we look at the broader context of Enterprise Risk Management a
study of Deloitte (2011) shows that only 67% of the boards approved a risk appetite
statement. Designing risk management without defining your risk appetite is like designing a
bridge without knowing which river it needs to span. Your bridge will be too long or too
short, too high or too low, and certainly not the best solution to cross the river in question,
stated by E&Y (2012).
But judgement of risk and the risk appetite is subjective for each individual. When asking
board members if they’d take more risk if that could help them to achieve their goals and get
their bonuses about 16% would agree, in the executive ranks about 30% would agree to do so
according to my survey (2013). According to a report from the European Audit Committee
29
Leadership Network (2012), good risk management does not imply avoiding all risks at all
cost. It does imply making informed and coherent choices regarding the risks the company
wants to take in pursuit of its objectives and regarding the measures to manage and mitigate
those risks. In an ERM system that lacks a well-articulated risk appetite framework, a
business unit that reports no risks requires no action.
Identify information security leaders
The CRO is the most senior official of the enterprise who is accountable for all aspects of risk
management across the
enterprise. An IT risk officer
function may be established
to oversee risk within the IT
departments. In some
enterprises the CEO will be
charged with chairing the
committee, per delegation
by the board to oversee the
day-to-day risk in the enterprise, when there is no specific CRO role (COBIT 5 for risk,
2013). The CRO title is being used by security savvy companies that understand the need to
integrate IT, physical, and personnel risks and manages them through one position. Less than
two thirds of the Forbes Global 2000 companies responding to the survey have full-time
personnel in key roles responsible for privacy and security in a manner that is consistent with
internationally accepted best practices and standards, according to Jody R. Westby (2012).
The CRO function undoubtedly has a crucial role in the overall risk setting of a company
especially if there is a direct connection between the CRO and the board. Other statistics show
that up to 68% of the CRO functions have a direct reporting line to the board where 33% of
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
CISO CSO CPO CRO
Yes
No
Don't know
Figure 10, Key role risk/security function in place
Jody R. Westby governance of Enterprise security
30
the CRO's state that they meet the board when needed, in other words ad-hoc, 35% of the
respondents claim to have board meetings quarterly (executiveboard.com, 2008). Twenty-six
percent (26%) of respondents said their board rarely or never received reports from senior
management regarding privacy and IT security risks; an additional 33% said they occasionally
got such reports. Thirty-nine percent (39%) said they regularly received reports on privacy
and IT security risks.
Board members are risk aware, whether they are risk averse or risk taking they are used to
make decisions based on a risk report. Parts of the risks are translated into a strategy and are
put in place by a Chief Security Officer. I wasn’t able to find a study to underpin the fact if a
CISO/CSO should or should not report directly to a board either via a committee or during a
board meeting.
31
Information Security governance practices at the Executive Committee
In today’s interconnected world in which companies conduct business it would be virtually
impossible to neglect and ignore the importance of information security across the
organisations. Many enterprises have a form of information security management and address
the technical issues related to protecting their information assets. Only a minority of
companies have a strategy in place, aligned with the company strategy. The lack of
information security strategy embedded into the corporate governance results in undercut
budgets, limited support and eventually ending up with a less or inefficient information
security programme leaving a
company vulnerable.
Many frameworks, models,
methodologies or best
practices are readily available
addressing the importance of
information security and how
it should be incorporated into
the overall structure of the
company. I’ve identified a set of practices and structures by searching the common parts in
the previously mentioned frameworks, methodologies, models and standards. As a starting
point I’ve used the 33 practices from De Haes & Van Grembergen (2008) since these cover a
wide range of practices recognised as important factors in achieving alignment between a
business strategy and an IT strategy of an enterprise. Since information security is closely
related to information technology hence the reason that I’ve opted to include these practices.
0%20%
40%
Insufficient capital expenditures
Lack of vision on how futurebusiness needs impact security
Lack of information securitystrategy
Insufficient operationalexpenditures
Figure 11,Greatest obstacles to improving information security
PriceWaterhouseCoopers, Global internet security survey 2014
32
An important barometer to check whether information security can have a level of success is
to see if the budgets are in line with the expectations of business and with the risk exposure
and risk appetite a company is facing.
As with many new
technologies, being the
unknown in the group
does not help to gain
confidence. While most
security stakeholders
agree that action should
be taken to improve
information security,
there appears to be little consensus on the challenges to achieve it. We asked respondents to
identify the greatest obstacles to better security. The answers revealed a wide range of
diverging opinions and, in some cases, finger pointing, concluded by
PriceWaterhouseCoopers (2013).
0% 5% 10% 15% 20% 25% 30% 35%
Do not want to draw attention topotential weaknesses
Are concerned that a competitorwould use such information to…
No one competitor is considerablymore advanced than others
Distrust our competitors
Large organisations with morefinancial resources would use…
Figure 12, Reasons for not collaborating on information security
PriceWaterhouseCoopers, 2013
33
Information Security framework
The information security framework provides a set of documents encompassing policies,
standards, guidelines and procedures, as defined in the ISO 27001:2013 standard. One of the
crucial parts in the formalisation process is the, approved by senior management, integration
of an information security policy in the entire organisation. The information security policy
typically outlines the rules on how
to conduct business in a secure
fashion the do’s and don’ts when it
comes down to the usage of the
company’s assets.
When looking in depth into the
COBIT5 framework, we can see a
shift from a merely operational
approach to a more management approach when it comes down to information security. And
we can see a clear top down approach since managing risk is considered at the governance
level within the COBIT5 framework. Information security is no longer considered a pure
operational part within your organisation. In COBIT5 it is represented in APO013 (Align,
Plan and Organise), this process requires an input from an external source which would be the
ISMS in place, for example
ISO2700x based but could also
be a proper set of policies,
standards and guidelines from a
company.
95%
63%
67%
0% 20% 40% 60% 80% 100%
2012 - large organisations
2012 - small organisations
2010 - small organisations
Figure 14,How many respondents have a formally documented
information security policy?
PriceWaterhouseCoopers, Information security breaches survey 2012
0%
20%
40%
60%
80%
StronglyAgree
Agree Neutral Disagree Stronglydisagree
Board Exec Overall
Figure 13, I know the security policy of my company?
Koen Maris, 2013
34
A survey executed by PriceWaterhouseCoopers (2012) shows a positive trend in the progress
of developing a formal statement such as an information security policy, at least for the large
organisations. It shows that companies, management and board, add importance to
information security. Though having a security policy in place says little about the maturity of
the processes required executing the security rules in a correct manner and it does not show
any level of assurance that it is kept up to date and reviewed on a regular basis. Another issue
that arises is that a policy can have many forms, one better than the other. Some companies
consider just an acceptable use policy as sufficient where others have a very detailed and
granular approach in addressing the information security issues of their company. Ideally a
clear strategy is set and communicated by senior management, such a statement provides a
clear message to all staff that information security is taken seriously in the organisation and
that it is part of day-to-day business.
The majority of the respondents agreed to know the security policy/strategy of their company,
a knowing or awareness level is present at the top level of the company. However a small
percentage disagreed, and there is some discrepancy between the fact that the majority of the
people replied and/or believe that there is an information security policy present in the
company and the fact that have some knowledge about its content. This trend is confirmed by
a survey performed on behalf of PriceWaterhouseCoopers (2012) stating:
Possession of a security policy by itself does not prevent breaches; employees need to
understand it and put it into practice. Only 26% of respondents with a security policy believe
their employees have a very good understanding of it; 21% think the level of staff
understanding is poor .
35
Chief Security Officer/Chief Information Security Officer
Any company of a reasonable size requires in the today's corporate environment a designated
responsible for addressing the information security requirements, obligations, reporting etc…
In the majority of the today's companies
you'd be able to identify such a person;
however his title or position might be
anything from chief information
security officer to data/privacy officer
or even IT security officer. Immediately
one of the difficulties arises, attach
him/her to IT or to a business related
function. In addition the responsibility oftentimes arrives in the hands of a Chief Finance
Officer, Chief Information Officer or even the IT-manager. Though having an information
security function does not say anything on the success of this function and the quality of the
information security programme
carried out across the organisation.
An important aspect in the success
and acceptance of a good
information security programme is
the reporting line, there is a lot of
discussion on this topic and today
there is no prescriptive rule to
apply to. If the reporting line is too closely related to the IT function or direction such as with
a CIO it could create a separation of duty issue. The latter would give the CIO the possibility
to overrule an information security decision made by the security officer. But if the
0% 10% 20% 30% 40%
CEO/COO
CFO
CIO
General counsel
Chief Audit Officer
Other
Figure 16, To whom does your CSO/CISO report?
Jody R. Westby, 2012
0%
10%
20%
30%
40%
50%
60%
Board
Exec
Overall
Figure 15, , Any company should have an information security
responsible?
Koen Maris, 2013
36
CISO/CSO is only responsible for IT related matters it would make sense to make him/her
report to a CIO instead to somebody else within the organisation.
In addition, the CIO may interfere with security procurements by favouring certain vendors or
products without understanding the technological differences between the products, states
Jody R. Westby (2012).
Michael Porter(1985) states that if you remove friction and solder smoother connections, you
are providing a basis for competitive advantage for your organization. When applying that
logic to a CSO/CISO role it should be a transversal role in the company. And according to
Derek Slater(2009) the CSO/CISO should be guiding the executives in detecting common
challenges in a way that facilitates cooperation between departments.
Information Security Steering Committee
An information security steering committee provides a means to ensure good practice and that
information security is applied effectively and consistently over the enterprise. (Cobit 5 for
security). The report Guidance for Boards of Directors from ISACA (2006) states that a
steering committee serves as an effective communication channel for management’s aims and
directions and provides an ongoing basis for ensuring alignment of the security programme
with organisational objectives. It is also instrumental in achieving behaviour change toward a
culture that promotes good security practices and policy compliance.
According to an article in Tom Scholtz(2003) an information security steering committee
must have a clear charter with a range of functions that should include but not be limited to
Managing the development and executive acceptance of an enterprise security charter.
Assessing and accepting corporate-wide security policy (e.g., the corporate policy on
security incident response, general behavioural policy). A major objective of this
37
function is ensuring that business requirements are reflected in the security policy,
thus ensuring that the policy enables rather than restricts business operations.
Assessing any requests for policy exceptions from individual business units.
Assessing, accepting, and sponsoring corporate-wide security investment (e.g.,
identity infrastructure deployment, remote access infrastructure), as well as requests to
be excluded from common investment.
Providing a forum for discussion and arbitration of any disputes or disagreements
regarding common policy or investment issues.
Acting as custodian and governance body of the enterprise security program by
ensuring visible executive support, as well as monitoring progress and achievements.
The role of a permanent governance structure reinforces the message that enterprise
security becomes an ongoing, long-term initiative.
Assessing and approving the outsourcing of common security services, as well as
coordinating investment in appropriate relationship management resources. As the
lack of skilled resources increases the need to outsource operational services,
executive due diligence, risk assessment, and ongoing effectiveness assessment must
be coordinated through the steering committee.
Initiating ad hoc projects to investigate the advantages, disadvantages, risks, and cost
of common security initiatives, and advising the committee with appropriate
recommendations.
Representing the executive (board of directors) or its nominated information
governance body (e.g., an information executive board) in all corporate security
matters. Reporting back to these forums on the activities and effectiveness of
corporate security programs and investments.
38
Acting as custodian of corporate-wide strategic security processes (e.g., role analysis,
data classification) by validating process ownership, responsibilities, and stakeholders.
Acting as respondent to enterprise-level audit exceptions (i.e., those audit exceptions
where a specific individual cannot be found to be responsible).
Coordinating and validating any external, security-related corporate communications
plans and activities (e.g., in the event of a high-profile, publicized security breach).
Tracking major line-of-business IT initiatives to identify opportunities for synergy or
to leverage security investment.
Governing trust relationships with major e-business partners.
Nonetheless the importance of such a committee and the mandate it carries I can only
determine a low level of presence of such a committee according to the information found in
the surveys. According to the survey performed by Tripwire-Ponemon(2013) only 15% of the
companies have a meeting organised on a regular basis, which in this survey means annual,
quarterly or semi-annual.
In a PriceWaterhouseCoopers(2012) survey it was noted that only 47% of the respondents had
an information security
steering committee in
place. Jody R. Westby
(2012) her survey as
shown in Figure 17 is a
little more positive but
the fact that risk is
0% 20% 40% 60% 80% 100%
Audit committee
Governance/compliance…
Risk/Security committee
IT committee
Figure 17, Risk/Security committee are less rare
Jody R. Westby, 2012
39
included could have an impact on the result. These results seem low especially when
considering the IT strategy committee regarded as an efficient practice and reasonably easy to
integrate in an organisation according to De haes & Van Grembergen(2008).
It remains difficult to identify a direct cause of why an information security steering
committee is only present in a limited number of companies. The reason might be found in the
bottom up approach of reporting since the majority of security professionals find that their
information is too technical and will not be understood by non-technical management
according a Tripwire-Ponemon(2013) study. The initiative of getting such a committee to
work is something that requires sponsorship from senior management and eventually board
members but if security professionals are not willing to take up the task in transforming their
reporting into comprehensible language it will be impossible to get information security on
the agenda.
Implementation of information security
Integrating or implementing information security across the organisation demands rigor and
focus since information technology and thus security issues arise at high velocity. The pace of
change is an aspect one has to take into account in order to follow up with the latest
technology, compliance and regulation. There is no doubt that the actual integration of the
controls occurs at the operational levels of a company, though it is the responsibility of the
executive management to ensure that sufficient resources and budgets are available and that
the priorities are respected as defined by that same management.
Regarding the budgets a PriceWaterhouseCoopers(2014) survey revealed that only 8%of the
IT budget is spent on security when we look into the IT aspect of information security. About
20% of those same respondents say they only spend about 1% of the total budget on
information security. To make matters worse, 80% of those respondents from large
40
organisation claim not to evaluate the return on investment on their security expenditure
according to PriceWaterhouseCoopers(2012).
About 80% of the same respondents claim that their security spending is aligned with their
current business requirements,finds PriceWaterhouseCoopers(2012). When looking at a study
from Deloitte(2012), it shows that 44% of their respondents said that budgets (2010-2011)
stayed the same, and 34% claimed the budgets decreased. Prudence though is required when
analysing the results as studies show that information security budgets are often times only a
fraction of what spend on security across the entire enterprise. Today most companies apply
such a federated model, about 56% of the respondents claim. 74% of CISO respondents have
executive commitment—but that has not translated into adequate funding in the majority of
cases.
Information security does not only require an adequate budget, it relies on people with the
right skillset. These are
not readily available
and more over the
security technologies
are rapidly changing
requiring people to
adapt and training on a
continuous basis.
Blocking is not the
answer. In many studies
it is clear that
companies are adapting
to new ways of conducting business but often times it seems that they way to adapt is to
0% 10% 20% 30% 40% 50% 60%
Policy adjustments
Increased security awarenessactivities
Encryption techniques
New mobile device managementsoftware
Allow the use of company-owneddevices, but disallow use of…
Governance process to manage theuse of mobile applications
Architectural changes
Figure 18, Which of the following controls have you implemented to mitigate the new
or increased risks related to the use of mobile computing including tablets and
smartphones?
Ernst & Young, 2012
41
block. When looking at social media 45% of the companies said blocking social media in
cooperation with adjusting the policy, according to the study from E&Y(2012) And with the
rise of BYOD we can see a similar attitude, 52% is considering blocking access are allowing
it in a very limited fashion. The way to mitigate new risks such as smartphones and tablets
looks focussed on the formal approach and less on the technical implications such technology
has. Could this mean that companies are willing to accept the risk, are tired of using
technology as a solution or perhaps lack of funding?
Monitoring and assessments
Executive management should monitor that the framework and its corresponding controls are
working effectively, that
security breaches are
contained, and incident
response is working
correctly and that the
company is in
compliance with
regulatory bodies.
In practice we see that
82% of the CSO/CISO
are responsible for
measuring and reporting
cyber security however
only 8% of these same
respondents currently
measuring the value and effectiveness of their enterprise cyber security organization’s
0% 10% 20% 30% 40% 50%
Measuring trend in securityincidents/costs
Benchmarking against otherorganisations
Return on investment (ROI)calculation
Measuring Staff awareness
Monitoring level of regulatorycompliance
Other formalised processes
Do not formally evaluate
Small
Large
Figure 19, How many respondents measure the effectiveness of their security
expenditure?
PriceWaterhouseCoopers, Information security breaches survey, 2012
42
activities says Deloitte(2012). Figure 5 shows that only 48% of the respondents monitor and
evaluate security incidents and events, though more than 60% do internal audit assessments
and self-assessments by IT or information security. Top performing companies in regards to
information security use the top 4 approaches in order to evaluate and monitor their
information security practices in the organisation, according toE&Y(2012).
Awareness and communication
It is important to make a clear distinction between awareness and training. Awareness is
typically defining the "what", in order to influence the general behaviour of your targeted
audience. It prepares people to put things in perspective and open their eyes for aspects they
generally would not think about. Training however goes deeper into the details, for example
the technical details on how a virus or a control technique works. Training takes more into
consideration the “how” part and is mostly established for a specific audience or target group.
However security awareness remains one of the underfunded, most overlooked mechanisms
for improving your information security programme, says
Rebecca Herold (2005).
Have you've ever had any security training?
ESET, a popular anti-virus vendor asked this question whilst
studying the implications of the bring-your-own-device strategy
emerging in the corporate environment. The defined target audience are U.S. adults
employed at the time of the survey. The level of training received appears rather low
compared to the importance added on the subject by the top management. Only 32% of
employees say to have received training when taking up their new job according to a survey
performed by Cisco(2008).
32%
68%
Yes
No
Figure 20, Have you ever had a
any security training
ESET survey 2012
43
A PriceWaterhouseCoopers (The global state of Internet Security Survey 2014) study remarks
that 21% of their respondents have a policy on security awareness training and about 59% of
those same respondents have a senior executive communicating on the importance of
information security. Cisco and ESET seem to draw up a similar result, and the
PriceWaterhouseCoopers(2014) survey shows that the policy itself does not guarantee the
execution of the task.
A consensus between board members and executives can be found in the approach on how to
communicate on information security. As shown in Table 1, a security awareness campaign is
considered the best way to share information security knowledge across an organisation. All
groups set the same criteria in regards to communication of information security. At first it is
a positive trend that awareness and security policies are receiving the same level of attention
from the top to bottom in an organisation though there is some kind of knowing and doing
gap. Everyone knows about the importance though as other surveys show, the level of doing
is relatively low when it comes down to awareness campaigns.
Board Executives Overall
1 Security awareness
campaign
Security awareness
campaign
Security awareness
campaign
2 Formal security policies Formal security policies Formal security policies
3 Email Official statements/reports Official statements/reports
4 Official statements/reports Email Intranet
5 Intranet Intranet Email
Each respondent has the choice of 5 answers and was asked to put them in order of importance where 1 was the most and 5 the least
important. All proposed answers were shown in random order.
Table 1, What is the best way to share security knowledge (policy, incident management, control procedures, etc…)?
Survey Koen Maris 2013
44
While many agree and talk about the subject only few put the importance of it into practice.
Ernst & Young(2012) performed a survey that indicates that only 9% of the companies see
security awareness as a priority in the next 12 months.
Any security awareness programme should be a continuous effort, it is like we experience in
our daily lives. We have to be
reminded continuously about the
dangers when moving in traffic
whether we're a pedestrian, using a
bicycle or a car. Every year around
the Christmas holidays we are kindly
reminded about the dangers of
driving and drinking. There is no surprise in there that this is a deadly cocktail and even
though we've done a training program on during our induction, our driver's license, into traffic
we tend to forget this. It is no different with information security, the same techniques are
used or reused over and over again and still we are prone to these attacks. Hence the
importance on a recurrent approach, repetition is king.
0% 20% 40% 60% 80% 100%
Large organisations
Small organisations
62%
46%
27%
31%
Induction only
Ongoing
Figure 21, How do respondents ensure staff are aware of security
threats?
PriceWaterhouseCoopers, Information Security breaches survey,
2012
45
According to a Tripwire-Ponemon(2013) study the reporting line from bottom to top is not
working properly ,
in about 60 percent
of the cases
reporting is not
happening or only
when a severe
security risk is
revealed. A more
serious issue is that
negative facts are
filtered before
disclosed to senior
management. This
dramatically limits
the opportunity for effective communication and reduces the organization’s visibility into the
urgency of security issues, according to the Tripwire-Ponemon(2013) report. About 12% of
the UK respondents in the Tripwire-Ponemon(2013) say that senior executives are not
interested, this is extremely worrying given the high volume of cyber security issues in the
media and perhaps it show more the lack of communication capabilities of some of the
security professionals.
0% 10% 20% 30% 40% 50% 60% 70%
Communications are contained inonly one department or line of business
The information is too technical to beunderstand by non-technical management
Communications occur at too low a level
Negative facts are filtered before beingdisclosed to senior executives and the CEO
We only communicate with senior executiveswhen there is an actual incident
It takes too much time and resourcesto prepare reports to senior executives
The information can be ambiguous,which may lead to poor decisions
Senior executives are notinterested in this information
Other
Figure 22,Why communication with senior executives is not considered effective?
Tripwire-Ponemon, The state of risk based security, 2013
46
Conclusion
Which level of information security governance “awareness” is present at the level of Board
of Directors and executive management in a contemporary enterprise?
In many cases board members and executive management are progressing on the path to
information security governance and many surveys that explore this path indicate that there is
a decent level of awareness present. A positive indicator is that a number of practices at the
board and on management level are following a positive trend. At the same time it also shows
that being aware about an issue does not guarantee that the issue is addressed accordingly.
If there is a general point that requires attention it must be communication, from top to bottom
and vice versa. It seems that the board and their members are looking at information security
as an important part of conducting business today but they aren't getting the required
information in order to do so. This is confirmed by the fact that the executive management is
not very well in the bottom-up reporting. The information is filtered and done at best when a
severe incident occurred which is by far the best way to start a constructive discussion on the
information security. Secondly it might be worth having an independent committee to take the
decisions, prepare the reports and provide the required feedback for the executive
management and the board members to have full transparency on information security
incidents, projects etc…
Such a communication channel might open the path to have executive management develop a
clear information security governance strategy aligned with the overall enterprise strategy and
have it approved by the board to get the required sponsorship.
47
Board members
Which practices (structures, procedures) have been identified?
There have been a number of practices identified specifically related towards the board and its
members. The following practices have been identified:
Leadership, strategy and value
Measurement, audit and monitoring
Risk management
Identify security leaders
To what extent are these practices considered effective?
Measuring effectiveness of those practices is not always an easy goal to achieve. But
companies and more specific board members are well aware about managing risk and the
effectiveness can be deducted from the fact that the majority is aware about the risk appetite
set in their company. It was unclear if a company having thoughtful leadership and enterprise
risk management in place also had identified a security leader. Many companies have a
security leader, whether it is a Chief Risk Officer or any other information security related
function. But whether this is due to legal and compliance or because of good leadership and
high awareness remains unclear. The audit and monitoring parts are well in place but the
degree of effectiveness can be doubtful especially due to the fact that only half of the
companies have strict separation between the risk and audit committees.
Which practices are well adopted in today's enterprise?
The practices regarding leadership, alignment and value are the least adopted, all the others
have a fairly well adopted and have a positive trend for improvement. When it comes down to
leadership, most boards are still neglecting information security. This could explain the fact
48
that business and information security are not well aligned and there is little or no value
creation for business when looking at information security. As an ultimate excuse the
technical complexity is used to justify this neglect.
What are the main drivers for implementing these practices?
In many cases the drivers are still legal and compliance related issues that drive for more
information security. A severe incident also triggers the attention of board members, whether
this is because of legal consequence of financial interest is unclear. In either case it remains an
ad-hoc modus operandi which is not a sustainable approach to address information security.
Executive management
Which practices (structures, procedures) have been identified?
Identifying the practices for the executive management regarding information security
provide more tangible results compared to those of the board members. The following
practices have been identified:
Information Security Framework
Chief Security Officer/Chief Information Security Officer
Information Security Steering Committee
Implementation of information security
Monitoring and assessment
Awareness and communication
To what extent are these practices considered effective?
The majority of companies today have a security framework/policy in place and the majority
of the people say they know about it. Though this says little about the level of understanding
regarding the policy and there the answers show an opposite direction. In most companies of a
49
reasonable size there is a Security Officer. The effectiveness of such a role is heavily
dependent on the reporting line this person has and in some cases this is creating a problem
since the bottom up reporting does not occur at all or is biased.
The steering committee is only gaining ground slowly and it remains difficult to judge the
effectiveness. When such a committee is well integrated in a company it could be an ideal
leverage to address issues to management and board and it could improve the reporting line.
Implementing security is done to some extent; it is no secret that budgets are under pressure in
these difficult economic circumstances of today. The fact that only a small number of
companies is evaluating the return on investment on security spending could be a reason that
security budgets stay low. Having the support of your senior management is not the only
factor required to get adequate funding. At the same time this attitude is shown in the
monitoring part. Only less than 10% of the security officers say that they effectively measure
and evaluate the effectiveness of their controls and funding. Though there is a better level of
monitoring when it comes down to the monitoring of incidents and audit and self-assessment.
Which practices are well adopted in today's enterprise?
The two least adopted practices are the information security steering committee and
awareness. Regarding information security awareness, companies are conscious about the
importance but there is still a big gap between what they know and what they are effectively
doing. However there is positive trend and companies are recognising the value of spending
money and resources for awareness purposes. The steering committee is less adopted but it is
gaining ground.
50
What are the main drivers for implementing these practices?
Legal and compliance remain a big motivator for implementing information security, the
interest from the senior levels of companies are relatively low since it remains a complex and
high technological subject. The fact that information security is put on agenda's whenever
there is a severe incident is not helping; this is a negative situation which makes it extremely
difficult to put information security into a positive light. Due to this and the fact that
reporting is often not done in a correct fashion, facts are changed, severity is lowered or
reporting does not occur at all are all factors that make it virtually impossible to get
information security on the agenda of the decision makers.
End note
The research revealed some aspects though a lot of questions remain open especially on the
effectiveness side. Many aspects are not measured for effectiveness and the links between the
structures and procedures and how the influence each other are not well researched. An
interesting point would be to see if companies with good Enterprise Risk Management have
also good information security governance. And if one has a good reporting line from bottom
to top if that would improve the strategy and give also a better top-down communication.
51
Table of Figures
Figure 1, Does your board regularly, occasionally, rarely or never complete the following actions? Jody R.
Westby, 2012 ........................................................................................................................................................ 18
Figure 2, How important is each type of experience when recruiting new directors? Jody R. Westby governance
of Enterprise security ............................................................................................................................................. 20
Figure 3, Does your function meets the organisational requirements? EY, Fighting to close the gap, 2012 ........ 23
Figure 4, Organizational involvement in aligning risk-based security management with business objectives
Tripwire,2013 ........................................................................................................................................................ 24
Figure 5, How does your organisation assess the efficiency and effectiveness of information security? EY,
Fighting to close the gap, 2012 ............................................................................................................................. 25
Figure 7, Subject actively addressed by the board Jody R. Westby, 2012 ............................................................. 26
Figure 6, Seperate risk committee and audit committee Jody R. Westby, 2012 ................................................... 26
Figure 8, I know the acceptable risk level in my daily duties. (You know the acceptable risk level you're allowed
to take during your daily tasks.) Koen Maris, 2013 ............................................................................................... 27
Figure 9,Enterprise Risk Management program/structure in place Jody R. Westby, 2012 ................................... 27
Figure 10, Key role risk/security function in place Jody R. Westby governance of Enterprise security ................ 29
Figure 11,Greatest obstacles to improving information security PriceWaterhouseCoopers, Global internet
security survey 2014 .............................................................................................................................................. 31
Figure 12, Reasons for not collaborating on information security PriceWaterhouseCoopers, 2013..................... 32
Figure 13, I know the security policy of my company? Koen Maris, 2013 ............................................................. 33
Figure 14,How many respondents have a formally documented information security policy?
PriceWaterhouseCoopers, Information security breaches survey 2012 ................................................................ 33
Figure 15, , Any company should have an information security responsible? Koen Maris, 2013 ......................... 35
Figure 16, To whom does your CSO/CISO report? Jody R. Westby, 2012 .............................................................. 35
Figure 17, Risk/Security committee are less rare Jody R. Westby, 2012 ............................................................... 38
Figure 18, Which of the following controls have you implemented to mitigate the new or increased risks related
to the use of mobile computing including tablets and smartphones? Ernst & Young, 2012................................. 40
52
Figure 19, How many respondents measure the effectiveness of their security expenditure?
PriceWaterhouseCoopers, Information security breaches survey, 2012 ............................................................... 41
Figure 20, Have you ever had a any security training ESET survey 2012 .............................................................. 42
Figure 21, How do respondents ensure staff are aware of security threats? PriceWaterhouseCoopers,
Information Security breaches survey, 2012 ......................................................................................................... 44
Figure 22,Why communication with senior executives is not considered effective? Tripwire-Ponemon, The state
of risk based security, 2013 ................................................................................................................................... 45
53
Bibliography
Allen, J. H. (2007). Governing for Enterprise Security. Carnegie Mellon Cylab, CERT.
CISCO. (2008). The Effectiveness of Security.
Deloitte. (2011). Global risk management survey, 7th edition.
Dutra, A. (2012). A more effective board of directors. Harvard Business Review, 2.
Ernst & Young. (2012). Risk-appetite : the strategic balancing act. Retrieved from
www.ey.com.
European Audit Committee Leadership Network. (2012). Strategy, risk appetite at the board.
Viewpoints.
Harris, S. (2003). CISSP all in one guide second edition.
ISACA. (2006). Information Security Governance: Guidance for boards of directors and
executive management. ISACA.
ISACA. (2010). Business Model for Information Security. ISACA.
ISACA. (2012). COBIT 5.
ISACA. (n.d.). COBIT 5: A Business Framework for the Governance and Management of
Enterprise IT. Retrieved from ISACA:
http://www.isaca.org/COBIT/Pages/default.aspx?cid=1003566&Appeal=PR
NIST. (2006). Information Security handbook: A guide for managers. Special publication
800-100.
Porter, M. (1985). Competitative advantage.
54
PriceWaterhouseCoopers. (2012). Information Security Breaches Survey Technical Report.
PWC.
PriceWaterhouseCoopers. (2013). The Global State of Information Security Survey.
Royal institute of technology. (2011). Assessing Future Value of Investments in Security-
Related IT Governance Control Objectives.
Slater, D. (2009). What is a CSO. Retrieved from CSOonline:
http://www.csoonline.com/article/2124612/it-careers/what-is-a-cso--part-2.html
Solms, S. v. (2008). Information security governance. Springer.
Stanford Graduate School of Business. (2011). Board of Directors: Duties & Liabilities.
Steven De Haes, Ph.D. and Wim Van Grembergen, Ph.D. (2008). Practices in IT Governance
and Business/IT Alignment. ISACA journal, 6.
Tom Scholtz. (2003). The role of corporate information security steering committee.
Retrieved from SCmagazine: http://www.scmagazine.com/the-role-of-the-corporate-
information-security-steering-committee/article/30595/
Tonello, M. (2008). Corporate Governance Handbook: Legal standards and board practices
3rd edition. The conference board.
Tripwire-Ponemon. (2013). The state of risk based security.
University, C. M. (2012). Governance of Enterprise Security: Cylab 2012 Report.
Westby, J. R. (2012). Governance of Enterprise Security. Carnegie Mellon University Cylab.
Retrieved from CyLab Survey Reveals Gap in Board Governance of Cyber Security:
https://www.cylab.cmu.edu/news_events/news/2008/governance.html
55
Wikipedia. (2013). NIST Special Publication 800-53. Retrieved from Wikipedia:
http://en.wikipedia.org/wiki/NIST_Special_Publication_800-53
Wikipedia. (2014). ISO/IEC 27000-series. Retrieved from Wikipedia:
http://en.wikipedia.org/wiki/ISO/IEC_27000-series