Security governance and business objectives
Standard approaches to security and risk management are sometimes misinterpreted. Whilst being a useful starting point, the establishment of predetermined security risk management structures, business processes, roles and requirements are too often separated from the normal decision making structures and processes used elsewhere in the business. This separation can lead to uncertainty, delays and confusion in the technology decision making process.
Prioritising compliance with or adherence to predefined security governance structures over finding ways to make effective risk management decisions that fit the business can lead to a false sense of control and therefore a false sense of security. That is not to say that governance activity is a bad thing. When done well, it significantly contributes to effective risk management, and therefore the security of the organisation.
Invest in risk management, trust decision makers
Governing how risks to technology systems are managed should be no different to the way organisations govern other business activities. The term governance implies that an organisation actively exercises control over the risks it faces and provides direction for the security of its business. Effective security governance requires that organisations invest in risk management resources and trust decision makers, so that it has the right people, structures and processes in place. This enables sensible risk management decision making in pursuit of the organisations business goals and objectives.
What does good security governance look like?
There is no ‘one size fits all’ approach to governance that can work for every organisation. Organisations should establish the security risk management roles and decision making processes that work for them (remembering that some organisations may have to comply with mandated requirements).
Irrespective of any predetermined structures or processes, a good approach to the governance of risk management across an organisation is more likely when:
- the organisation’s business goals and priorities are clear
- the assets that the organisation cares about (or values in terms of achieving its business goals) are clearly identified
- the organisation puts in place the resources needed to make risk management effective
- the organisation understands that for security to be effective, it must be part of ‘business as usual’
- the organisation identifies who is responsible (and accountable) for the security of the technology systems
- the risks that the organisation will (and will not) take in pursuit of its business goals are clear
- the organisation identifies who is responsible (and accountable) for making security decisions about technology systems
- the organisation knows how to acquire the information needed to inform these security decisions
- the organisation identifies who is responsible (and accountable) for the ongoing security of the technology systems throughout the whole system life cycle
When organisations are deciding what governance approach is right for them, it may also be helpful to consider:
- How will the organisation manage technology-related security risks in different business, technology, and decision making contexts?
- What external requirements are relevant when managing technology-related security risks (e.g. legal, regulatory or sector specific)?
- What business processes are necessary to support the making of security risk management decisions?
- What information and documentation is necessary to enable decision makers to make timely, informed and objective security risk management decisions?
- How will the organisation ensure that those responsible for managing risks (and making risk management decisions) have the right business and security skills, knowledge and training?
- How will the organisation provide confidence that its approach to managing risk is effective, and that the systems it uses for business are secure enough to meet its needs?
- How will the organisation ensure traceability and accountability for risk management decisions and actions?
- How will the organisation make continuous improvements to the way it manages security risks?
Delegating decision making
Effective cyber security risk management is built on sensible decision making. However, senior management within an organisation do not need to make all risk management decisions. Risk management decision making can take place at all levels within an organisation, and be delegated to those people who are best placed to understand the problem. Decision makers should have the right security, business and technical knowledge (together with the skills and experience) to enable them to make effective and timely risk management decisions in different business contexts.
To make security risk management effective, it is important to establish clear lines of communication between those that are responsible and accountable for the security of an organisation, and those who are empowered to make risk management decisions on their behalf. Where decision making is delegated, the scope of that delegation must be clear. That is, they should understand when decisions need to be escalated for more senior attention within the business.
Dealing with complexity and uncertainty
The technology systems used to deliver modern business capabilities can be considered as complex ‘sociotechnical’ systems with interaction between technology, people and organisations. This complexity means that there are times when the causes and effects of security risks can be known and can be managed, and times when they cannot.
Uncertainty in risk management is unavoidable because the information needed by decision makers and practitioners to inform security decisions may not be available, is not known, or is arrived at subjectively. This uncertainty is exacerbated by:
- the biases of those involved in risk analysis, assessment and decision making processes
- limitations in methods and tools, and in the way they are used
This complexity and uncertainty does not mean that there is nothing organisations can do to manage security risks. Rather, those responsible for making risk decisions need to:
- understand the limitations of the tools they are using
- understand that there are contexts when risks can be managed through the implementation of predefined security controls and approaches, and contexts when they cannot
- adopt different strategies for making sensible security risk management decisions in different contexts
Developing an effective culture and environment
An effective security culture and environment will also help organisations deal with this complexity and risk management uncertainty. An appropriate security culture and environment can be encouraged by:
- ensuring that everyone involved in security risk management decisions understands that achieving the objectives and maintaining the priorities of the business are more important than compliance with generic predetermined checklists
- employing people who have the cyber security, business & risk management skills, and the knowledge & expertise needed to make and enable effective decisions
- trusting and empowering those people to make risk management decisions
- minimising the procedural and documentary workload to only that which is absolutely necessary to enable timely and effective decision making
- ‘baking’ risk management into ‘business as usual’, so it is viewed as a continuous activity that is consistent with the way other risks are managed (rather than a one-off action)
- making it easy for those responsible for making risk management decisions to have access to (and understand) the information they require
- reducing opportunities for that information to be misinterpreted, diminished or elaborated in any way that introduces uncertainty and bias
- accepting that technology and security risks will be realised and understanding what the organisation will do to minimise damage, continue to operate, and make improvements based on lessons learned
- ensuring that communication between:
a) those accountable for security
b) those responsible for making risk management decisions
c) those responsible for carrying out risk management activities
– is clear and meaningful so that information can be correctly and effectively acted upon
Communicating risk management information
The effective communication of risk management information helps organisations to direct and control risk management activities. For this communication to be effective, organisations must establish internal and external channels to communicate with staff, business partners and customers. Communication within an organisation is most effective when it flows amongst the right levels of an organisation; top-down, bottom-up and laterally:
- top-down communication provides corporate direction and business objectives to decision makers
- bottom-up and lateral communication provides detailed technical, non-technical and security information to inform risk management decisions
When communicating internally, this information should as a minimum include:
- business objectives, priorities and risk management direction
- what the organisation cares about and why
- what risks the organisation will (and won’t) take
- who is responsible and accountable for making risk management decisions
When communicating externally with third parties, this information should as a minimum include:
- The risk management and decision making context
- What needs to be protected and why?
- If the security of the protected assets is reliant on another party, then what does the organisation expect that party to do to protect it? (e.g. security procedures or security requirements in contracts)
- Where a third party is providing security for something the organisation cares about, how will the organisation gain confidence that the third party is delivering security as expected?
To communicate risk management information in a clear and meaningful way, organisations should use plain English and commonly known business, technology and security terminology. Using bespoke risk management language or specialist terms should be avoided.
It is often assumed that because organisations use a common risk assessment (or risk management) method, they will be able to use the risk information generated (such as risk numbers, risk levels and impact levels) as a short-hand to convey information to risk management decision makers and business partners. Without work to agree the meaning of risk management information, this assumption is incorrect. People and organisations will interpret or misinterpret risk related information based on their individual and group biases, their experience, knowledge and priorities. This is especially true if the risk management information is provided without meaning, explanation or context.
As with any other relationship, trust between parties is built upon good communication that enables each to understand what the others value, and to agree the specific meaning of risk management information and risk assessment output. This understanding will enable organisations to trust risk management information provided to them by others, and to use technology systems and services with confidence.
Source: NCSC