SlideShare a Scribd company logo
1 of 55
Download to read offline
1
Master Project
Information Security Governance: Awareness at the Board of
Directors and Executive Committee
Author: Koen Maris
Promotor(s): Wim Van Grembergen, Steven De Haes
2
Table of Content
Table of Content......................................................................................................................... 2
Abstract ...................................................................................................................................... 4
Definitions.................................................................................................................................. 5
Problem statement and research questions................................................................................. 6
Methodology .............................................................................................................................. 8
Identification process.............................................................................................................. 8
Awareness survey:.................................................................................................................. 8
Third party surveys:................................................................................................................ 9
Literature: ............................................................................................................................. 10
Frameworks, methodologies and models ............................................................................. 11
ISO 2700x ......................................................................................................................... 11
COBIT 5............................................................................................................................ 11
ISACA, Business model for Information Security ........................................................... 12
ISC2, Common Body of Knowledge................................................................................ 13
NIST 800-53 ..................................................................................................................... 13
Background on master project.................................................................................................. 14
Information security governance definitions............................................................................ 16
Definition from NIST on information security governance :............................................... 16
Definition from ISACA (2006) ............................................................................................ 17
Information Security Governance at the Board of Directors ................................................... 18
Leadership, strategy and value ............................................................................................. 19
Leadership......................................................................................................................... 21
Strategy ............................................................................................................................. 23
Enabling value .................................................................................................................. 24
Measurement, monitoring and audit..................................................................................... 25
Risk management ................................................................................................................. 27
Identify information security leaders.................................................................................... 29
Information Security governance practices at the Executive Committee ................................ 31
Information Security framework .......................................................................................... 33
Chief Security Officer/Chief Information Security Officer ................................................. 35
Information Security Steering Committee............................................................................ 36
Implementation of information security............................................................................... 39
Monitoring and assessments................................................................................................. 41
Awareness and communication............................................................................................ 42
Conclusion................................................................................................................................ 46
3
Board members..................................................................................................................... 47
Executive management......................................................................................................... 48
End note.................................................................................................................................... 50
Table of Figures ....................................................................................................................... 51
Bibliography............................................................................................................................. 53
4
Abstract
Corporate governance and in more specific governance of enterprise IT are important factors
in building solid companies that require agile strategies. Difficulties in alignment remain
present as not every boardroom recognises the importance of its information technology
infrastructure in place at the company.
The rapid growth of emerging Internet technologies forced companies to address information
security. In the early days companies looked at information security as a solely technical
matter, different complex technologies that came with high expenses were available to
mitigate risk factors related to the use of the Internet. In a second era, security management
practices were integrated in the company structure. The objective of this function is mostly
about setting a formal statement by means of policies, standards, procedures and guidelines in
order to maintain an adequate level of security. It provides a structured way of organising the
information security landscape and monitors the enterprise to keep it in compliance with the
integrated policies. Such a formal statement expresses the importance on information security
by the executive management and/or the board.
Since information security governance is a relative new area it doesn't always receive the
required attention such as business support, management support and eventually the necessary
budgets to keep Mr Evil out. The reasons why information security is not receiving the
required attention are plenty, but a main issue that it is failing to get on the agenda could be
that the upper levels of an organisational structure do not receive the information required to
get their attention, or that companies are risk taking instead of risk averse or it seems
impossible to identify value for the business. Security is about avoiding something, where a
new application is about adding functionality in order to increase efficiency, production etc…
Unfortunately, security is still seen as a business disabler.
5
Definitions
This chapter explains the terms and definitions used that could cause doubt or
misinterpretation.
Awareness: knowledge or perception of a situation or fact (Oxford dictionary)
Security awareness: Security awareness is the extent to which staff understands the
importance of information security, the level of security required by the organisation and their
individual security responsibilities. (Standard of Good Practices for Information Security,
ISF)
Risk appetite: The amount and type of risk an organization is willing to accept in pursuit of
its business objectives.
Risk tolerance: The specific maximum risk that an organization is willing to take regarding
each relevant risk.
ISMS (information security management system): "An information security management
system (ISMS) is a set of policies concerned with information security management or IT
related risks. The idioms arose primarily out of BS 7799."(Wikipedia, 2013)
CRO: Chief Risk Officer
CSO: Chief Security Officer, covers all security aspects those outside IT as well
CISO: Chief Information Security Officer, in charge of information related security, not
physical aspects
6
Problem statement and research questions
Information security is often associated with technology, which makes it difficult to get it on
the radar of the executives and board members. Anything that is technology related is by
default classified as boring, not interesting, expensive and never works for exec's and board
members. The omnipresence of information technology makes it the lifeblood of most
organisations. It would difficult to imagine a company not relying on information technology,
perhaps for a short period of time it could survive, but in the long run it would not be
sustainable. And in the most recent years it would be even more difficult to think in business
terms without being connected to the Internet. Imagine that your company would not have a
working email system for a few days, or no possibility to connect to a branch office because
the Internet service is not working properly. This dependence on technology and the Internet
will only increase in the upcoming years due to cloud technologies, VOIP, BYOD etc…
Julia H. Allen (2007) states, that the interest of the decision makers in today's organisations is
not proportional with the dependence on technology and their related information security
issues. Executive managers, business managers and even the members of the board do not
necessarily understand the complex nature of information security. As a result little interest is
shown in the matter and in a worst case security is considered an expense or a discretionary
budget-line item. Worthwhile to see how companies' board and executive management have
the knowledge or import the knowledge in their working environment to cope with
complexity and rapid changing information security technology.
It appears that information security staff and business managers are too far out of sync in
order to define appropriate solutions offering a balance between risk and business value. In
any case risk based management has still its merits, but like information technology, the
information security needs to align with business requirements and the risk appetite business
7
is willing to take. Those benefitting from security and those responsible for security have
different interests and different goals. Higher risk appetite becomes the reason to deny
additional budgets to information security which indirectly contributes to the idea that
management knows they need to address security but they don't for various reasons.
Research questions:
Which level of information security governance “awareness” is present at the level of Board
of Directors and executive management in a contemporary enterprise?
 Which practices (structures, procedures) have been identified?
 To what extent are these practices considered effective?
 Which practices are well adopted in today's enterprise?
 What are the main drivers for implementing these practices?
Conceptual model:
8
Assumptions:
In today's contemporary enterprises there is some awareness level at the Board of Directors
and Executive Committee. However a clear enterprise wide strategy on information security is
often not present and in the best case immature if present. Resulting in limited financial
support, lower budgets and an ad-hoc approach when it comes down to information security.
Methodology
The research in this paper is performed on available literature, both academic and from the
business environment, survey's publically available done by academics and consultancy firms
and a survey I've performed among a small number of board of directors and executive
managers. The empirical findings come from public available reports and surveys performed
by mayor consultancy firms and some renowned academic institutions.
Identification process
In all consulted literature there were common practices present which one might expect from
board members and executive management when it comes down to information security, these
are used as the basis in the identification process.
Board of Directors have some tasks, such as leadership, which are not a one to one mapping
against a well-known procedure and/or structure as found in most literature. In such a case
there are multiple parts to explain the practice with the relevant information and statistics in
order to have some insight on how well it is adopted and how effective its usage is.
Awareness survey:
A custom developed survey containing some basic governance practices inspired on the 33
practices from De Haes & Van Grembergen (2008) and the most important ones are
9
confirmed by a group of security professionals that responded on a survey. The target
audience for the survey enquiry is based on:
 Board members with different backgrounds (different industries)
 Executive management, with different job functions
 Mid management, typical team leaders, project manager non-executive management
 Administration, consultants, business architects, administrative personnel
Together with peers from the information security field we decided to limit the survey to the
most important practices. Peers are asked to identify at least 3 practices that are key in
establishing a successful information security program.
We concluded that the most important practices to measure are( in order of importance):
 An information security responsible in the company
 A formal information security policy in place
 Communication of information security across the company
 Risk appetite statement
Third party surveys:
A collection of surveys conducted by mayor consultancy firms is used addressing information
security management/governance, risk management/governance, security reporting on
breaches etc… These reports contain surveys conducted by these large consultancy firms,
with a large respondent's base varying different types of industries, different levels of
hierarchy and different types of job functions. Most of the surveys come in a form of official
report where statistics are used to underpin the end conclusion present in the report.
 PriceWaterhouseCoopers: Global Internet Ssecurity Ssurvey 2014
Respondents: 9600 executives from 115 countries, cross industry
10
 PriceWaterhouseCoopers: Information Security Breaches Survey 2012
Respondents: 447 organisations, 46% >500 employees
 Ernst & Young: Fighting to close the gap, 2012, cross industry
Respondents: 1836 executives from 64 countries, cross industry
 Jody R. Westby Carnegie Mellon, Governance of Enterprise Security 2012
Respondents: 108 board or senior executives from Forbes Global 2000 companies
Half of the respondents are board members, and the other half are non-director senior
executives. Twenty-four percent (24%) of the respondents are board chairs and 44%
are on Audit, Governance or Risk committees. Jody R. Westby (2012)
 Deloitte: Global Risk Management Survey 2011
Respondents:131 financial institutions
 Deloitte: State governments at risk: a call for collaboration and compliance 2012
Respondents: 50 CISOs (48 states and two territories) USA only
 Tripwire-Ponemon: The state of risk based security 2013
Respondents: 1,320 professionals in IT security, information risk management and IT
operations in the United States and the United Kingdom
Literature:
Academic publications, books and papers released by consultancy firms, vendors of security
products and information security related organisations are included to gather information on
information security governance practices, the drivers behind information security
governance, the practices used and to see how effectiveness is measured.
11
Frameworks, methodologies and models
The frameworks, methodologies and models used in this paper have similar approaches in
addressing information security. The similar approaches, practices and structures, identified
are used as the starting point to identify the practices described in this paper.
ISO 2700x
The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27k' for
short) comprises information security standards published jointly by the International
Organization for Standardization (ISO) and the International Electrotechnical Commission
(IEC). The series provides best practice recommendations on information security
management, risks and controls within the context of an overall information security
management system (ISMS), similar in design to management systems for quality assurance
(the ISO 9000 series) and environmental protection (the ISO 14000 series).
The series is deliberately broad in scope, covering more than just privacy, confidentiality and
IT or technical security issues. It is applicable to organizations of all shapes and sizes. All
organizations are encouraged to assess their information security risks, then implement
appropriate information security controls according to their needs, using the guidance and
suggestions where relevant. Given the dynamic nature of information security, the ISMS
concept incorporates continuous feedback and improvement activities, summarized by
Deming's "plan-do-check-act" approach, that seek to address changes in the threats,
vulnerabilities or impacts of information security incidents. (Wikipedia, 2014)
COBIT 5
COBIT 5 helps enterprises create optimal value from IT by maintaining a balance between
realizing benefits and optimizing risk levels and resource use. The framework addresses both
business and IT functional areas across an enterprise and considers the IT-related interests of
12
internal and external stakeholders. Enterprises of all sizes, whether commercial, not-for- profit
or in the public sector, can benefit from COBIT 5.
In this paper the emphasis of COBIT is put on risk and information security, in parallel to the
standard COBIT enabler processes guide I've consulted COBIT 5 for Information Security
and COBIT 5 for Risk Management.
ISACA, Business model for Information Security
The Business Model for Information Security provides an in-depth explanation to a holistic
business model which examines security issues from a systems perspective. Explore various
media, including journal articles, webcasts and podcasts, to delve into the Business Model for
Information Security and to learn more about how to have success in the IS field in today's
market. (ISACA, 2010)
13
ISC2, Common Body of Knowledge
The (ISC)² Common Body of Knowledge is a taxonomy - a collection of topics relevant to
information security professionals around the world. The (ISC)² Common Body of
Knowledge establishes a common framework of information security terms and principles
which allows information security professionals worldwide to discuss, debate, and resolve
matters pertaining to the profession with a common understanding, from Shon Harris (2003).
I've not used this book actively but a great deal of my knowledge on information security
management started by getting the CISSP credential that I've obtained in 2004. Therefore I
consider it as important in this paper.
NIST 800-53
NIST Special Publication 800-53, "Recommended Security Controls for Federal Information
Systems and Organizations," catalogs security controls for all U.S. federal information
systems except those related to national security. It is published by the National Institute of
Standards and Technology, which is a non-regulatory agency of the United States Department
of Commerce. NIST develops and issues standards, guidelines, and other publications to assist
federal agencies in implementing the Federal Information Security Management Act of 2002
(FISMA) and to help with managing cost effective programs to protect their information and
information systems.(Wikipedia, 2013)
14
Background on master project
Information security and cyber security are since a few years hot news items, it is impossible
to think that a day goes by without a high profile security incident in the news. These
incidents contributed to an information security approach that is addressed in an ad-hoc
modus. The information security people of today are the firemen of your network boundaries
and systems. They keep your house in an acceptable shape when the fire breaks loose. But
these firemen should be the last resort to rely on. In our society we try to avoid calling these
firemen and we do not rely on them to monitor and warn us when something happens since
this is a shared responsibility between the government, society (you and me) and the firemen.
Information security in the corporate world requires to be treated as a shared responsibility
too in order to obtain an adequate level of acceptance, success and financial support. The
board and executive management have to keep oversight and implement rules and policies.
Staff should apply the rules and inform, whenever required, the firemen upon detection of
anomaly. Like in our society controls have to be put in place to ensure the rules and policies
are lived by.
The biggest issue to achieve this yet so seemingly easy solution is that information security
and technology change at high velocity. Something secure today could suffer a zero-day
exploit by tomorrow and a day after it could be a gaping hole in your fortress. Preparedness is
key; therefore information security should be on the board agenda's and integrated into the
corporate governance process. The difficulty remains in aligning the triangle of business, IT
and information security.
15
Some facts and figures from Kaspersky (2013)
 Maintaining information security is the main issue faced by company’s it management
 In past 12 months, year 2012, 91% of the responding companies had at least one
external incident and 85% have reported internal incidents
 A serious incident can cost a large company an average of $649,000; for small and
medium-sized companies the bill averages at about $50,000.
 A successful targeted attack on a large company can cost it $2.4 million in direct
financial losses and additional costs.
 For a medium-sized or small company, a targeted attack can mean about $92,000 in
damages – almost twice as much as an average attack.
 Information leaks committed using mobile devices – intentionally or accidentally –
constitute the main internal threat that companies are concerned about for the future.
The seriousness of threats, the costs and the high volume of attacks show that information
security is to be taken seriously by any organisation, whether small or big. Not speak about all
privacy and data related issues such as we experienced in 2013 by the leakage of confidential
data of Edward Snowden. It also pinpoints that the internal threat is becoming increasingly
more important.
16
Information security governance definitions
Currently there is myriad of different definitions for an identical idea or concept.
Unfortunately there is no silver bullet that answers it all. This chapter outlines some
definitions taken from respectable bodies across the globe, though this list is not exhaustive.
Some of the key goals of an information security programme are to protect the company's
assets, reduce risk, set rules and provide compliance with law and regulation. In other words,
it protects assets against theft, misuse, unavailability, unauthorised disclosure, tampering,
legal liability etc...
A successful information security governance approach demands full integration into the
corporate strategy and enterprise governance, aligned with IT and contributes to the overall
success of the company from ISACA, guidance for board and directors (2006). The
omnipresence of information security in IT demands a new culture, transforming from the
buying a solution approach to a security aware culture in today's enterprises. By setting the
tone at the top, a company can transform its current culture into an information security aware
environment. There are a rife of frameworks and standards available to provide guidance in
this complex task to cover all information security related subjects a company has to deal with
such as the ISO 27001(2) ISMS framework, COBIT for security, NIST 800-53 publication
etc…
Definition from NIST on information security governance :
Information security governance can be defined as the process of establishing and
maintaining a framework and supporting management structure and processes to provide
assurance that information security strategies are aligned with and support business
objectives, are consistent with applicable laws and regulations through adherence to
policies and internal controls, and provide assignment of responsibility, all in an effort to
manage risk.(NIST,2006)
17
Information security governance is more than just setting tone and strategy, to receive buy-in
from the Board of Directors and senior management one needs to be able to express some
potential benefits in apply good information security governance.
Definition from ISACA (2006)
An information security governance framework generally entails:
 A comprehensive security strategy explicitly linked with business and IT objectives
 An effective security organisational structure
 A security strategy that talks about the value of information protected and delivered
 Security policies that address each aspect of strategy, control and regulation
 A complete set of security standards for each policy to ensure that procedures and
guidelines comply with policy
 Institutionalised monitoring processes to ensure compliance and provide feedback on
effectiveness and mitigation of risk
 A process to ensure continued evaluation and update of security policies, standards,
procedures and risks
18
Information Security Governance at the Board of Directors
Understanding the role of the Board of Directors in information security governance requires
one to have a look on how it interacts with corporate governance and what tasks do the Board
of Directors exercise in that context.
The mandate of a director of the board is dual, from Stanford (2011):
 Advisory: consult with management regarding strategic and operational direction of
the company.
 Oversight: monitor company performance and reduce agency costs
This translates to a set of responsibilities and practices exercised by the board and executive
management with the
goal of providing
strategic direction,
ensuring that
objectives are
achieved,
ascertaining that
risks are managed
appropriately and
verifying that the
enterprise’s resources
are used responsibly, from ITGI/ISACA (2003).
Risk management is one of the key elements in Information Security Governance, defining
risk and setting the tone by defining the risk appetite level is one of the practices required.
Additionally, information security governance requires strategic direction and impetus. It
0%
20%
40%
60%
Regularly
Occasionaly
Rarely or never
Figure 1, Does your board regularly, occasionally, rarely or never complete the
following actions?
Jody R. Westby, 2012
19
requires commitment, resources and assignment of responsibility for information security
management, as well as a means for the board to determine that its intent has been met.
ISACA (2006) states, experience has shown that the effectiveness of information security
governance is dependent on the involvement of senior management in approving policy, and
appropriate monitoring and metrics coupled with reporting and trend analysis.
The literature research results in the following list of responsibilities and/or tasks expected to
be taken up by the Board of Directors in the context of Information Security Governance.
 Risk Management, setting the tone by defining the risk appetite
 Identify information security leaders, provide resources and support
 Direction, strategy and leadership, put information security on the board's agenda
 Ensure effectiveness of the information security policy
 Integrate a strategic committee
 Staff awareness and training
 Measurement, monitoring and audit
Are these practices also exercised by the board members, to what extent are these considered
effective?
Leadership, strategy and value
According to S.H von Solms/R. von Solms (2009), information security is a direct corporate
governance responsibility and lies squarely on the shoulders of the Board of a company. It
emphasizes the fact that everybody in the company has an information security responsibility
– from the Chairperson of the board to the newest junior secretary.
20
ISACA (2006) states that information security is a top-down process requiring a
comprehensive security
strategy that is explicitly
linked to the
organisation’s business
processes and strategy.
Ana Dutra (2012) finds
that board composition is
a serious impediment, if
not done right. Today’s
challenges require new
perspectives and skills.
But boards often lack the
ability to objectively
evaluate their makeup to determine if they have the right people and skills at the table.
Jody R. Westby (2012) discovered in a recent study that boards still underestimate the
importance of the relatively new expertise domains such as Information technology and risk
and security. However the report indicates progress, 27% of the respondents indicated that
they their board had an outside director with cyber security experience, up from 18% in 2010.
And 64% of the respondents think it is very important to have risk and security experience
when hiring a new director.
Although the importance on risk and security knowledge seems fair it is still low compared to
skills like management and financial knowledge especially when looking on the importance
and the dependence on technology and the Internet.
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Very important
or important
Somewhat
important
Not important
Don't know
Figure 2, How important is each type of experience when recruiting new
directors?
Jody R. Westby governance of Enterprise security
21
Leadership
According to ISACA (2006) information security governance consists of the leadership,
organisational structures and processes that safeguard critical information assets. Though, in
this paper the focus lies on the outcomes expected by the ISACA report as they show results
of leadership. The expected results are:
 Risk management by executing appropriate measures to manage and mitigate risks and
reduce potential impacts on information resources to an acceptable level
 Resource management by utilising information security knowledge and infrastructure
efficiently and effectively
 Performance measurement by measuring, monitoring and reporting information
security governance metrics to ensure organisational objectives are achieved
To achieve the outcomes a company requires some concrete practices. Some identified
practices are almost a one to one mapping with the outcomes where others are practices that
provide input to obtain the expected outcome.
 Review of annual budgets
Fifty-three percent (53%) of respondents said their board rarely or never reviewed and
approved annual budgets for privacy and IT security programs, finding by Jody R.
Westby (2012).
 Review roles and responsibilities
Fifty-six percent (56%) of respondents indicated their board rarely or never reviewed
and approved roles and responsibilities of personnel responsible for privacy and
security risks, finding by Jody R. Westby (2012).
 Review of top level policies
Forty-one percent (41%) of respondents said their board rarely or never reviewed and
22
approved top-level policies regarding privacy and security risks, finding by Jody R.
Westby (2012).
 Leadership of CEO, president or board
23% of the respondents see the lack of leadership as an important obstacle in the
overall strategic effectiveness of their organisation's security function, from
PriceWaterhouseCoopers (2012)
 Establish a risk committee of the board of directors
Only 28% of the respondents reply to have a risk committee with board members
included, according to Deloitte (2011)
 Add board members with risk experience
19% of the respondents have risk experienced members added or present in their
current board according to Deloitte (2011)
Many boards across the world are starting to get information security governance into their
activities. However these practices are not widely adopted yet and there is limited or no
information on how well these are integrated and to what extent can these be considered
effective. Perhaps the only part of the practices that has a head start is by far risk management
and/or risk governance which is traditionally covered in order to protect a company from
financial risks etc… Boards are actively addressing risk management, but there is still a gap in
understanding the linkage between cyber security risks and enterprise risk management,
according to Carnegie Mellon Univeristy-Jody R. Westby (2012).
The leadership levels in a company regarding information security are still on the lower side.
The fact that almost half of the respondents do not even review budgets and that more than
40% of the respondents are not reviewing the official statement set in the form of a policy is
extremely cumbersome and worrying.
23
Strategy
Defining a strategy and setting direction is a crucial aspect in any governance domain,
whether information security, risk or any other. The majority of the literature consulted for
this thesis states that any information security strategy needs to be aligned with the business
strategy in order to achieve some results, acceptance and the required budgets adequate to
execute the strategy. Similar to the leadership chapter, the results are focussed on the expected
outcomes according to the ISACA document "guidance for Board of Directors and Executive
management".
 Strategic alignment of information security with business strategy to support
organisational objectives
 Performance measurement by measuring, monitoring and reporting information
security governance metrics to ensure organisational objectives are achieved
 Value delivery by optimising information security investments in support of
organisational objectives
Aligning the business strategy and the information security strategy are key factor in good
governance practices. A study conducted
by PriceWaterhouseCoopers (2014) states
that 68% of the respondents assume their
information security strategy is aligned
with the business needs. However a
similar survey conducted in 2012 by Ernst
& Young say that only 42% have their
information security strategy aligned with their business strategy.
About 54% of the respondents state that they discuss information security topics in the
boardroom on a quarterly basis or even more frequently. However the remaining 46% never
0% 20% 40% 60% 80%
Fully aligned
Partitially aligned
Figure 3, Does your function meets the organisational
requirements?
EY, Fighting to close the gap, 2012
24
or almost never discuss the topic in the boardroom. Nonetheless, many respondents feel that
the information security function is not meeting up to the organisational need, a minority
thinks/feel they are fully aligned.
Note: there is in fact one year difference between both reports, the PriceWaterhouseCoopers
report is released in 2014 with data based on 2013, the EY report contains data and
conclusions from 2012.
According to Tripwire-Ponemen (2013) improvements in commitment to risk-based security
management haven’t translated to a wider acceptance for a strategic approach to risk
management among organizations. Nearly half of the respondents describe their risk-based
security management approach or strategy as ‘non-existent’ or ‘ad hoc’ (46% U.S. and 48%
U.K.) In contrast, only 29% (U.S.) and 27% (U.K.) have a risk-based security management
strategy applied consistently across the enterprise.
The fact that leadership practices regarding information security are relatively poor translates
into the strategy and alignment part. There is some level of alignment however there is a lot of
room for improvement.
Enabling value
It is no secret creating business value when it comes down to information security seems for
many information security practitioners an impossible task today. I will not go into detail on
the reasons why or why not, since there is
little to no academic information to be found.
However in order to create something that is
perceived as valuable to business there must
be some alignment or at least interest from
both groups to cooperate on the issue.
0% 20% 40% 60%
Significant…
Moderate…
Little involvement
No involvement
Figure 4, Organizational involvement in aligning risk-
based security management with business objectives
Tripwire,2013
25
Undoubtedly one of the biggest challenges is to obtain some organisational involvement in
aligning risk based security management with business objectives as shown in Figure 4.
When measuring value in regard of information security it is mostly looked at in terms of
reduced negative consequences from security incidents generated from investments in control
objectives according to Royal Institute of Sweden (2011). In that regard it remains an almost
impossible task to convince business that security is a value enabler. Providing metrics is
often an argument used, however a study from Tripwire-Ponemon (2013) states the most
obvious remark in that respect, 50% of the respondents in the USA and UK say that the
information is too technical to be understood by non-technical management. The same study
reveals that 40% of the respondents only communicate with senior management when there is
an actual incident. This is by far the worst time frame to start a constructive and positive
dialogue with senior management.
Measurement, monitoring and audit
An important aspect in governance is monitoring and measuring performance, security, and
finance in fact any
topic deemed
important for the
good functioning of
the business. When
looking into COBIT
5 many processes
have an output to the
process MEA02
(Monitor, Evaluate
68%
64%
56%48%
35%
27%
19%
15%
15%
14%5%4%
Assessments
performedby internal
audit function
Internal self-
assessments by IT or
information security
function
Assessment by
external party
Monitoring and
evaluation of security
incidents and events
In conjunction with
the external financial
statement audit
Benchmarking against
peers/competition
Evaluation of
information security
operational
performance
Formal certification to
external security
standards
Figure 5, How does your organisation assess the efficiency and effectiveness of
information security?
EY, Fighting to close the gap, 2012
26
and Assess the system of internal control) which defines the importance of good monitoring
capabilities to achieve governance. A company has an arsenal of possibilities to monitor and
assess. A well-known monitoring tool is audit, whether internal or external. Undoubtedly any
company that has a reputation to defend has some form of internal audit and performs on a
regular basis an external control; mostly these actions are driven by compliance standards,
industry regulations or by law. In the field of information security a company can add
additional controls such as self-assessments, monitoring incidents; monitoring costs etc…
these help a company in assessing the efficiency of their information security strategy.
Internal audit is by far the most important tool used to assess the performance and reporting
on progress to achieve the
organisational objectives. For
a board of a company audit
and an audit committee are
an important reporting line to
receive an objective status on
how the company is
performing and what the
status is on different aspects of governance. Though, only a limited number of companies
have a strict segregation
between the risk
committee and the audit
committee which creates a
conflict of interest. Only
8% of respondents said
their boards have a Risk
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
2008 2010 2012
Figure 7, Seperate risk committee and audit committee
Jody R. Westby, 2012
Figure 6, Subject actively addressed by the board
Jody R. Westby, 2012
0% 20% 40% 60% 80% 100%
Responsibilities of senior…
Risk management
IT operations
Computer and information…
Mergers and acquisitions
Long term strategy & operations
Vendor management
Compliance
68%
91%
29%
33%
92%
95%
13%
92%
27
Committee that is separate from the Audit Committee, and of this 8%, only half of them
oversee privacy and security. Audit Committees should not be responsible for establishing
privacy and security programs and then also auditing them. This is an obvious segregation of
duties issue at the board level, according to Jody R. Westby (2008). But as shown in Figure 6
the situation is improving, companies are separating the duties into different committees. As a
consequence the Audit Committee responsibility for oversight of risk dropped from 65% in
2008 to 35% in 2012, from Carnegie Mellon University -Jody R. Westby, (2012).
Risk management
Boards play a crucial role in risk oversight. Directors at corporations are encouraged to
embrace entrepreneurial risk and
pursue risk-bearing strategic
operations, according to Matteo
Tonello (2008). Apart from
economical stance the main driver
for Enterprise Risk Management
is compliance with regulatory
bodies and legal constraints.
Though a useful risk approach delivers advantage for any company and avoids abrupt
business interruption. Information risk
management does not differ that much, it is
mostly driven due to regulations. As shown in
Figure 7, up to 91% of the companies have a
form of risk management. Sabarnes-Oxley
contributed to move companies to address risk
0% 20% 40% 60% 80%100%
Strongly Agree
Agree
Neutral
Disagree
Strongly disagree
Exec's
Board
Figure 8, I know the acceptable risk level in my daily
duties. (You know the acceptable risk level you're
allowed to take during your daily tasks.)
Koen Maris, 2013
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
2008 2010 2012
Figure 9,Enterprise Risk Management program/structure in place
Jody R. Westby, 2012
28
whether business or information related. Whether these approaches have been efficient
remains difficult to measure, the recent years showed that too many times companies have
taken too much entrepreneurial risk and jeopardising the entire enterprise and perhaps even
one of the causes of the economic turmoil the world is in. It might look a problem only within
the financial sector but other industries suffered as well because they did not take into account
the risk of bankruptcy for big institutions. When it comes down to information security we
can see similar events, the risk any enterprise faces when using the modern technologies seem
to be misjudged or the risk appetite set is insufficiently articulated and/or too high. This gives
attackers an edge and it gives them a great arsenal of attack vectors since outdated and well-
known attacks are still present and used.
Performing a risk assessment is important in mitigating risks but the success depends on other
important factors in the risk management approach such as defining risk appetite statement
and has it approved by the board of directors. In the context of Information Security very little
information is available. Risk appetite is known by the board and executive members, there is
a slight difference when looking at Figure 8. However it seems that the communication is
about it is trailing behind. If we look at the broader context of Enterprise Risk Management a
study of Deloitte (2011) shows that only 67% of the boards approved a risk appetite
statement. Designing risk management without defining your risk appetite is like designing a
bridge without knowing which river it needs to span. Your bridge will be too long or too
short, too high or too low, and certainly not the best solution to cross the river in question,
stated by E&Y (2012).
But judgement of risk and the risk appetite is subjective for each individual. When asking
board members if they’d take more risk if that could help them to achieve their goals and get
their bonuses about 16% would agree, in the executive ranks about 30% would agree to do so
according to my survey (2013). According to a report from the European Audit Committee
29
Leadership Network (2012), good risk management does not imply avoiding all risks at all
cost. It does imply making informed and coherent choices regarding the risks the company
wants to take in pursuit of its objectives and regarding the measures to manage and mitigate
those risks. In an ERM system that lacks a well-articulated risk appetite framework, a
business unit that reports no risks requires no action.
Identify information security leaders
The CRO is the most senior official of the enterprise who is accountable for all aspects of risk
management across the
enterprise. An IT risk officer
function may be established
to oversee risk within the IT
departments. In some
enterprises the CEO will be
charged with chairing the
committee, per delegation
by the board to oversee the
day-to-day risk in the enterprise, when there is no specific CRO role (COBIT 5 for risk,
2013). The CRO title is being used by security savvy companies that understand the need to
integrate IT, physical, and personnel risks and manages them through one position. Less than
two thirds of the Forbes Global 2000 companies responding to the survey have full-time
personnel in key roles responsible for privacy and security in a manner that is consistent with
internationally accepted best practices and standards, according to Jody R. Westby (2012).
The CRO function undoubtedly has a crucial role in the overall risk setting of a company
especially if there is a direct connection between the CRO and the board. Other statistics show
that up to 68% of the CRO functions have a direct reporting line to the board where 33% of
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
CISO CSO CPO CRO
Yes
No
Don't know
Figure 10, Key role risk/security function in place
Jody R. Westby governance of Enterprise security
30
the CRO's state that they meet the board when needed, in other words ad-hoc, 35% of the
respondents claim to have board meetings quarterly (executiveboard.com, 2008). Twenty-six
percent (26%) of respondents said their board rarely or never received reports from senior
management regarding privacy and IT security risks; an additional 33% said they occasionally
got such reports. Thirty-nine percent (39%) said they regularly received reports on privacy
and IT security risks.
Board members are risk aware, whether they are risk averse or risk taking they are used to
make decisions based on a risk report. Parts of the risks are translated into a strategy and are
put in place by a Chief Security Officer. I wasn’t able to find a study to underpin the fact if a
CISO/CSO should or should not report directly to a board either via a committee or during a
board meeting.
31
Information Security governance practices at the Executive Committee
In today’s interconnected world in which companies conduct business it would be virtually
impossible to neglect and ignore the importance of information security across the
organisations. Many enterprises have a form of information security management and address
the technical issues related to protecting their information assets. Only a minority of
companies have a strategy in place, aligned with the company strategy. The lack of
information security strategy embedded into the corporate governance results in undercut
budgets, limited support and eventually ending up with a less or inefficient information
security programme leaving a
company vulnerable.
Many frameworks, models,
methodologies or best
practices are readily available
addressing the importance of
information security and how
it should be incorporated into
the overall structure of the
company. I’ve identified a set of practices and structures by searching the common parts in
the previously mentioned frameworks, methodologies, models and standards. As a starting
point I’ve used the 33 practices from De Haes & Van Grembergen (2008) since these cover a
wide range of practices recognised as important factors in achieving alignment between a
business strategy and an IT strategy of an enterprise. Since information security is closely
related to information technology hence the reason that I’ve opted to include these practices.
0%
20%
40%
Insufficient capital expenditures
Lack of vision on how future
business needs impact security
Lack of information security
strategy
Insufficient operational
expenditures
Figure 11,Greatest obstacles to improving information security
PriceWaterhouseCoopers, Global internet security survey 2014
32
An important barometer to check whether information security can have a level of success is
to see if the budgets are in line with the expectations of business and with the risk exposure
and risk appetite a company is facing.
As with many new
technologies, being the
unknown in the group
does not help to gain
confidence. While most
security stakeholders
agree that action should
be taken to improve
information security,
there appears to be little consensus on the challenges to achieve it. We asked respondents to
identify the greatest obstacles to better security. The answers revealed a wide range of
diverging opinions and, in some cases, finger pointing, concluded by
PriceWaterhouseCoopers (2013).
0% 5% 10% 15% 20% 25% 30% 35%
Do not want to draw attention to
potential weaknesses
Are concerned that a competitor
would use such information to…
No one competitor is considerably
more advanced than others
Distrust our competitors
Large organisations with more
financial resources would use…
Figure 12, Reasons for not collaborating on information security
PriceWaterhouseCoopers, 2013
33
Information Security framework
The information security framework provides a set of documents encompassing policies,
standards, guidelines and procedures, as defined in the ISO 27001:2013 standard. One of the
crucial parts in the formalisation process is the, approved by senior management, integration
of an information security policy in the entire organisation. The information security policy
typically outlines the rules on how
to conduct business in a secure
fashion the do’s and don’ts when it
comes down to the usage of the
company’s assets.
When looking in depth into the
COBIT5 framework, we can see a
shift from a merely operational
approach to a more management approach when it comes down to information security. And
we can see a clear top down approach since managing risk is considered at the governance
level within the COBIT5 framework. Information security is no longer considered a pure
operational part within your organisation. In COBIT5 it is represented in APO013 (Align,
Plan and Organise), this process requires an input from an external source which would be the
ISMS in place, for example
ISO2700x based but could also
be a proper set of policies,
standards and guidelines from a
company.
95%
63%
67%
0% 20% 40% 60% 80% 100%
2012 - large organisations
2012 - small organisations
2010 - small organisations
Figure 14,How many respondents have a formally documented
information security policy?
PriceWaterhouseCoopers, Information security breaches survey 2012
0%
20%
40%
60%
80%
Strongly
Agree
Agree Neutral Disagree Strongly
disagree
Board Exec Overall
Figure 13, I know the security policy of my company?
Koen Maris, 2013
34
A survey executed by PriceWaterhouseCoopers (2012) shows a positive trend in the progress
of developing a formal statement such as an information security policy, at least for the large
organisations. It shows that companies, management and board, add importance to
information security. Though having a security policy in place says little about the maturity of
the processes required executing the security rules in a correct manner and it does not show
any level of assurance that it is kept up to date and reviewed on a regular basis. Another issue
that arises is that a policy can have many forms, one better than the other. Some companies
consider just an acceptable use policy as sufficient where others have a very detailed and
granular approach in addressing the information security issues of their company. Ideally a
clear strategy is set and communicated by senior management, such a statement provides a
clear message to all staff that information security is taken seriously in the organisation and
that it is part of day-to-day business.
The majority of the respondents agreed to know the security policy/strategy of their company,
a knowing or awareness level is present at the top level of the company. However a small
percentage disagreed, and there is some discrepancy between the fact that the majority of the
people replied and/or believe that there is an information security policy present in the
company and the fact that have some knowledge about its content. This trend is confirmed by
a survey performed on behalf of PriceWaterhouseCoopers (2012) stating:
Possession of a security policy by itself does not prevent breaches; employees need to
understand it and put it into practice. Only 26% of respondents with a security policy believe
their employees have a very good understanding of it; 21% think the level of staff
understanding is poor .
35
Chief Security Officer/Chief Information Security Officer
Any company of a reasonable size requires in the today's corporate environment a designated
responsible for addressing the information security requirements, obligations, reporting etc…
In the majority of the today's companies
you'd be able to identify such a person;
however his title or position might be
anything from chief information
security officer to data/privacy officer
or even IT security officer. Immediately
one of the difficulties arises, attach
him/her to IT or to a business related
function. In addition the responsibility oftentimes arrives in the hands of a Chief Finance
Officer, Chief Information Officer or even the IT-manager. Though having an information
security function does not say anything on the success of this function and the quality of the
information security programme
carried out across the organisation.
An important aspect in the success
and acceptance of a good
information security programme is
the reporting line, there is a lot of
discussion on this topic and today
there is no prescriptive rule to
apply to. If the reporting line is too closely related to the IT function or direction such as with
a CIO it could create a separation of duty issue. The latter would give the CIO the possibility
to overrule an information security decision made by the security officer. But if the
0% 10% 20% 30% 40%
CEO/COO
CFO
CIO
General counsel
Chief Audit Officer
Other
Figure 16, To whom does your CSO/CISO report?
Jody R. Westby, 2012
0%
10%
20%
30%
40%
50%
60%
Board
Exec
Overall
Figure 15, , Any company should have an information security
responsible?
Koen Maris, 2013
36
CISO/CSO is only responsible for IT related matters it would make sense to make him/her
report to a CIO instead to somebody else within the organisation.
In addition, the CIO may interfere with security procurements by favouring certain vendors or
products without understanding the technological differences between the products, states
Jody R. Westby (2012).
Michael Porter(1985) states that if you remove friction and solder smoother connections, you
are providing a basis for competitive advantage for your organization. When applying that
logic to a CSO/CISO role it should be a transversal role in the company. And according to
Derek Slater(2009) the CSO/CISO should be guiding the executives in detecting common
challenges in a way that facilitates cooperation between departments.
Information Security Steering Committee
An information security steering committee provides a means to ensure good practice and that
information security is applied effectively and consistently over the enterprise. (Cobit 5 for
security). The report Guidance for Boards of Directors from ISACA (2006) states that a
steering committee serves as an effective communication channel for management’s aims and
directions and provides an ongoing basis for ensuring alignment of the security programme
with organisational objectives. It is also instrumental in achieving behaviour change toward a
culture that promotes good security practices and policy compliance.
According to an article in Tom Scholtz(2003) an information security steering committee
must have a clear charter with a range of functions that should include but not be limited to
 Managing the development and executive acceptance of an enterprise security charter.
 Assessing and accepting corporate-wide security policy (e.g., the corporate policy on
security incident response, general behavioural policy). A major objective of this
37
function is ensuring that business requirements are reflected in the security policy,
thus ensuring that the policy enables rather than restricts business operations.
 Assessing any requests for policy exceptions from individual business units.
 Assessing, accepting, and sponsoring corporate-wide security investment (e.g.,
identity infrastructure deployment, remote access infrastructure), as well as requests to
be excluded from common investment.
 Providing a forum for discussion and arbitration of any disputes or disagreements
regarding common policy or investment issues.
 Acting as custodian and governance body of the enterprise security program by
ensuring visible executive support, as well as monitoring progress and achievements.
The role of a permanent governance structure reinforces the message that enterprise
security becomes an ongoing, long-term initiative.
 Assessing and approving the outsourcing of common security services, as well as
coordinating investment in appropriate relationship management resources. As the
lack of skilled resources increases the need to outsource operational services,
executive due diligence, risk assessment, and ongoing effectiveness assessment must
be coordinated through the steering committee.
 Initiating ad hoc projects to investigate the advantages, disadvantages, risks, and cost
of common security initiatives, and advising the committee with appropriate
recommendations.
 Representing the executive (board of directors) or its nominated information
governance body (e.g., an information executive board) in all corporate security
matters. Reporting back to these forums on the activities and effectiveness of
corporate security programs and investments.
38
 Acting as custodian of corporate-wide strategic security processes (e.g., role analysis,
data classification) by validating process ownership, responsibilities, and stakeholders.
 Acting as respondent to enterprise-level audit exceptions (i.e., those audit exceptions
where a specific individual cannot be found to be responsible).
 Coordinating and validating any external, security-related corporate communications
plans and activities (e.g., in the event of a high-profile, publicized security breach).
 Tracking major line-of-business IT initiatives to identify opportunities for synergy or
to leverage security investment.
 Governing trust relationships with major e-business partners.
Nonetheless the importance of such a committee and the mandate it carries I can only
determine a low level of presence of such a committee according to the information found in
the surveys. According to the survey performed by Tripwire-Ponemon(2013) only 15% of the
companies have a meeting organised on a regular basis, which in this survey means annual,
quarterly or semi-annual.
In a PriceWaterhouseCoopers(2012) survey it was noted that only 47% of the respondents had
an information security
steering committee in
place. Jody R. Westby
(2012) her survey as
shown in Figure 17 is a
little more positive but
the fact that risk is
0% 20% 40% 60% 80% 100%
Audit committee
Governance/compliance…
Risk/Security committee
IT committee
Figure 17, Risk/Security committee are less rare
Jody R. Westby, 2012
39
included could have an impact on the result. These results seem low especially when
considering the IT strategy committee regarded as an efficient practice and reasonably easy to
integrate in an organisation according to De haes & Van Grembergen(2008).
It remains difficult to identify a direct cause of why an information security steering
committee is only present in a limited number of companies. The reason might be found in the
bottom up approach of reporting since the majority of security professionals find that their
information is too technical and will not be understood by non-technical management
according a Tripwire-Ponemon(2013) study. The initiative of getting such a committee to
work is something that requires sponsorship from senior management and eventually board
members but if security professionals are not willing to take up the task in transforming their
reporting into comprehensible language it will be impossible to get information security on
the agenda.
Implementation of information security
Integrating or implementing information security across the organisation demands rigor and
focus since information technology and thus security issues arise at high velocity. The pace of
change is an aspect one has to take into account in order to follow up with the latest
technology, compliance and regulation. There is no doubt that the actual integration of the
controls occurs at the operational levels of a company, though it is the responsibility of the
executive management to ensure that sufficient resources and budgets are available and that
the priorities are respected as defined by that same management.
Regarding the budgets a PriceWaterhouseCoopers(2014) survey revealed that only 8%of the
IT budget is spent on security when we look into the IT aspect of information security. About
20% of those same respondents say they only spend about 1% of the total budget on
information security. To make matters worse, 80% of those respondents from large
40
organisation claim not to evaluate the return on investment on their security expenditure
according to PriceWaterhouseCoopers(2012).
About 80% of the same respondents claim that their security spending is aligned with their
current business requirements,finds PriceWaterhouseCoopers(2012). When looking at a study
from Deloitte(2012), it shows that 44% of their respondents said that budgets (2010-2011)
stayed the same, and 34% claimed the budgets decreased. Prudence though is required when
analysing the results as studies show that information security budgets are often times only a
fraction of what spend on security across the entire enterprise. Today most companies apply
such a federated model, about 56% of the respondents claim. 74% of CISO respondents have
executive commitment—but that has not translated into adequate funding in the majority of
cases.
Information security does not only require an adequate budget, it relies on people with the
right skillset. These are
not readily available
and more over the
security technologies
are rapidly changing
requiring people to
adapt and training on a
continuous basis.
Blocking is not the
answer. In many studies
it is clear that
companies are adapting
to new ways of conducting business but often times it seems that they way to adapt is to
0% 10% 20% 30% 40% 50% 60%
Policy adjustments
Increased security awareness
activities
Encryption techniques
New mobile device management
software
Allow the use of company-owned
devices, but disallow use of…
Governance process to manage the
use of mobile applications
Architectural changes
Figure 18, Which of the following controls have you implemented to mitigate the new
or increased risks related to the use of mobile computing including tablets and
smartphones?
Ernst & Young, 2012
41
block. When looking at social media 45% of the companies said blocking social media in
cooperation with adjusting the policy, according to the study from E&Y(2012) And with the
rise of BYOD we can see a similar attitude, 52% is considering blocking access are allowing
it in a very limited fashion. The way to mitigate new risks such as smartphones and tablets
looks focussed on the formal approach and less on the technical implications such technology
has. Could this mean that companies are willing to accept the risk, are tired of using
technology as a solution or perhaps lack of funding?
Monitoring and assessments
Executive management should monitor that the framework and its corresponding controls are
working effectively, that
security breaches are
contained, and incident
response is working
correctly and that the
company is in
compliance with
regulatory bodies.
In practice we see that
82% of the CSO/CISO
are responsible for
measuring and reporting
cyber security however
only 8% of these same
respondents currently
measuring the value and effectiveness of their enterprise cyber security organization’s
0% 10% 20% 30% 40% 50%
Measuring trend in security
incidents/costs
Benchmarking against other
organisations
Return on investment (ROI)
calculation
Measuring Staff awareness
Monitoring level of regulatory
compliance
Other formalised processes
Do not formally evaluate
Small
Large
Figure 19, How many respondents measure the effectiveness of their security
expenditure?
PriceWaterhouseCoopers, Information security breaches survey, 2012
42
activities says Deloitte(2012). Figure 5 shows that only 48% of the respondents monitor and
evaluate security incidents and events, though more than 60% do internal audit assessments
and self-assessments by IT or information security. Top performing companies in regards to
information security use the top 4 approaches in order to evaluate and monitor their
information security practices in the organisation, according toE&Y(2012).
Awareness and communication
It is important to make a clear distinction between awareness and training. Awareness is
typically defining the "what", in order to influence the general behaviour of your targeted
audience. It prepares people to put things in perspective and open their eyes for aspects they
generally would not think about. Training however goes deeper into the details, for example
the technical details on how a virus or a control technique works. Training takes more into
consideration the “how” part and is mostly established for a specific audience or target group.
However security awareness remains one of the underfunded, most overlooked mechanisms
for improving your information security programme, says
Rebecca Herold (2005).
Have you've ever had any security training?
ESET, a popular anti-virus vendor asked this question whilst
studying the implications of the bring-your-own-device strategy
emerging in the corporate environment. The defined target audience are U.S. adults
employed at the time of the survey. The level of training received appears rather low
compared to the importance added on the subject by the top management. Only 32% of
employees say to have received training when taking up their new job according to a survey
performed by Cisco(2008).
32%
68%
Yes
No
Figure 20, Have you ever had a
any security training
ESET survey 2012
43
A PriceWaterhouseCoopers (The global state of Internet Security Survey 2014) study remarks
that 21% of their respondents have a policy on security awareness training and about 59% of
those same respondents have a senior executive communicating on the importance of
information security. Cisco and ESET seem to draw up a similar result, and the
PriceWaterhouseCoopers(2014) survey shows that the policy itself does not guarantee the
execution of the task.
A consensus between board members and executives can be found in the approach on how to
communicate on information security. As shown in Table 1, a security awareness campaign is
considered the best way to share information security knowledge across an organisation. All
groups set the same criteria in regards to communication of information security. At first it is
a positive trend that awareness and security policies are receiving the same level of attention
from the top to bottom in an organisation though there is some kind of knowing and doing
gap. Everyone knows about the importance though as other surveys show, the level of doing
is relatively low when it comes down to awareness campaigns.
Board Executives Overall
1 Security awareness
campaign
Security awareness
campaign
Security awareness
campaign
2 Formal security policies Formal security policies Formal security policies
3 Email Official statements/reports Official statements/reports
4 Official statements/reports Email Intranet
5 Intranet Intranet Email
Each respondent has the choice of 5 answers and was asked to put them in order of importance where 1 was the most and 5 the least
important. All proposed answers were shown in random order.
Table 1, What is the best way to share security knowledge (policy, incident management, control procedures, etc…)?
Survey Koen Maris 2013
44
While many agree and talk about the subject only few put the importance of it into practice.
Ernst & Young(2012) performed a survey that indicates that only 9% of the companies see
security awareness as a priority in the next 12 months.
Any security awareness programme should be a continuous effort, it is like we experience in
our daily lives. We have to be
reminded continuously about the
dangers when moving in traffic
whether we're a pedestrian, using a
bicycle or a car. Every year around
the Christmas holidays we are kindly
reminded about the dangers of
driving and drinking. There is no surprise in there that this is a deadly cocktail and even
though we've done a training program on during our induction, our driver's license, into traffic
we tend to forget this. It is no different with information security, the same techniques are
used or reused over and over again and still we are prone to these attacks. Hence the
importance on a recurrent approach, repetition is king.
0% 20% 40% 60% 80% 100%
Large organisations
Small organisations
62%
46%
27%
31%
Induction only
Ongoing
Figure 21, How do respondents ensure staff are aware of security
threats?
PriceWaterhouseCoopers, Information Security breaches survey,
2012
45
According to a Tripwire-Ponemon(2013) study the reporting line from bottom to top is not
working properly ,
in about 60 percent
of the cases
reporting is not
happening or only
when a severe
security risk is
revealed. A more
serious issue is that
negative facts are
filtered before
disclosed to senior
management. This
dramatically limits
the opportunity for effective communication and reduces the organization’s visibility into the
urgency of security issues, according to the Tripwire-Ponemon(2013) report. About 12% of
the UK respondents in the Tripwire-Ponemon(2013) say that senior executives are not
interested, this is extremely worrying given the high volume of cyber security issues in the
media and perhaps it show more the lack of communication capabilities of some of the
security professionals.
0% 10% 20% 30% 40% 50% 60% 70%
Communications are contained in
only one department or line of business
The information is too technical to be
understand by non-technical management
Communications occur at too low a level
Negative facts are filtered before being
disclosed to senior executives and the CEO
We only communicate with senior executives
when there is an actual incident
It takes too much time and resources
to prepare reports to senior executives
The information can be ambiguous,
which may lead to poor decisions
Senior executives are not
interested in this information
Other
Figure 22,Why communication with senior executives is not considered effective?
Tripwire-Ponemon, The state of risk based security, 2013
46
Conclusion
Which level of information security governance “awareness” is present at the level of Board
of Directors and executive management in a contemporary enterprise?
In many cases board members and executive management are progressing on the path to
information security governance and many surveys that explore this path indicate that there is
a decent level of awareness present. A positive indicator is that a number of practices at the
board and on management level are following a positive trend. At the same time it also shows
that being aware about an issue does not guarantee that the issue is addressed accordingly.
If there is a general point that requires attention it must be communication, from top to bottom
and vice versa. It seems that the board and their members are looking at information security
as an important part of conducting business today but they aren't getting the required
information in order to do so. This is confirmed by the fact that the executive management is
not very well in the bottom-up reporting. The information is filtered and done at best when a
severe incident occurred which is by far the best way to start a constructive discussion on the
information security. Secondly it might be worth having an independent committee to take the
decisions, prepare the reports and provide the required feedback for the executive
management and the board members to have full transparency on information security
incidents, projects etc…
Such a communication channel might open the path to have executive management develop a
clear information security governance strategy aligned with the overall enterprise strategy and
have it approved by the board to get the required sponsorship.
47
Board members
Which practices (structures, procedures) have been identified?
There have been a number of practices identified specifically related towards the board and its
members. The following practices have been identified:
 Leadership, strategy and value
 Measurement, audit and monitoring
 Risk management
 Identify security leaders
To what extent are these practices considered effective?
Measuring effectiveness of those practices is not always an easy goal to achieve. But
companies and more specific board members are well aware about managing risk and the
effectiveness can be deducted from the fact that the majority is aware about the risk appetite
set in their company. It was unclear if a company having thoughtful leadership and enterprise
risk management in place also had identified a security leader. Many companies have a
security leader, whether it is a Chief Risk Officer or any other information security related
function. But whether this is due to legal and compliance or because of good leadership and
high awareness remains unclear. The audit and monitoring parts are well in place but the
degree of effectiveness can be doubtful especially due to the fact that only half of the
companies have strict separation between the risk and audit committees.
Which practices are well adopted in today's enterprise?
The practices regarding leadership, alignment and value are the least adopted, all the others
have a fairly well adopted and have a positive trend for improvement. When it comes down to
leadership, most boards are still neglecting information security. This could explain the fact
48
that business and information security are not well aligned and there is little or no value
creation for business when looking at information security. As an ultimate excuse the
technical complexity is used to justify this neglect.
 What are the main drivers for implementing these practices?
In many cases the drivers are still legal and compliance related issues that drive for more
information security. A severe incident also triggers the attention of board members, whether
this is because of legal consequence of financial interest is unclear. In either case it remains an
ad-hoc modus operandi which is not a sustainable approach to address information security.
Executive management
Which practices (structures, procedures) have been identified?
Identifying the practices for the executive management regarding information security
provide more tangible results compared to those of the board members. The following
practices have been identified:
 Information Security Framework
 Chief Security Officer/Chief Information Security Officer
 Information Security Steering Committee
 Implementation of information security
 Monitoring and assessment
 Awareness and communication
To what extent are these practices considered effective?
The majority of companies today have a security framework/policy in place and the majority
of the people say they know about it. Though this says little about the level of understanding
regarding the policy and there the answers show an opposite direction. In most companies of a
49
reasonable size there is a Security Officer. The effectiveness of such a role is heavily
dependent on the reporting line this person has and in some cases this is creating a problem
since the bottom up reporting does not occur at all or is biased.
The steering committee is only gaining ground slowly and it remains difficult to judge the
effectiveness. When such a committee is well integrated in a company it could be an ideal
leverage to address issues to management and board and it could improve the reporting line.
Implementing security is done to some extent; it is no secret that budgets are under pressure in
these difficult economic circumstances of today. The fact that only a small number of
companies is evaluating the return on investment on security spending could be a reason that
security budgets stay low. Having the support of your senior management is not the only
factor required to get adequate funding. At the same time this attitude is shown in the
monitoring part. Only less than 10% of the security officers say that they effectively measure
and evaluate the effectiveness of their controls and funding. Though there is a better level of
monitoring when it comes down to the monitoring of incidents and audit and self-assessment.
Which practices are well adopted in today's enterprise?
The two least adopted practices are the information security steering committee and
awareness. Regarding information security awareness, companies are conscious about the
importance but there is still a big gap between what they know and what they are effectively
doing. However there is positive trend and companies are recognising the value of spending
money and resources for awareness purposes. The steering committee is less adopted but it is
gaining ground.
50
What are the main drivers for implementing these practices?
Legal and compliance remain a big motivator for implementing information security, the
interest from the senior levels of companies are relatively low since it remains a complex and
high technological subject. The fact that information security is put on agenda's whenever
there is a severe incident is not helping; this is a negative situation which makes it extremely
difficult to put information security into a positive light. Due to this and the fact that
reporting is often not done in a correct fashion, facts are changed, severity is lowered or
reporting does not occur at all are all factors that make it virtually impossible to get
information security on the agenda of the decision makers.
End note
The research revealed some aspects though a lot of questions remain open especially on the
effectiveness side. Many aspects are not measured for effectiveness and the links between the
structures and procedures and how the influence each other are not well researched. An
interesting point would be to see if companies with good Enterprise Risk Management have
also good information security governance. And if one has a good reporting line from bottom
to top if that would improve the strategy and give also a better top-down communication.
51
Table of Figures
Figure 1, Does your board regularly, occasionally, rarely or never complete the following actions? Jody R.
Westby, 2012 ........................................................................................................................................................ 18
Figure 2, How important is each type of experience when recruiting new directors? Jody R. Westby governance
of Enterprise security............................................................................................................................................. 20
Figure 3, Does your function meets the organisational requirements? EY, Fighting to close the gap, 2012 ........ 23
Figure 4, Organizational involvement in aligning risk-based security management with business objectives
Tripwire,2013 ........................................................................................................................................................ 24
Figure 5, How does your organisation assess the efficiency and effectiveness of information security? EY,
Fighting to close the gap, 2012............................................................................................................................. 25
Figure 7, Subject actively addressed by the board Jody R. Westby, 2012 ............................................................. 26
Figure 6, Seperate risk committee and audit committee Jody R. Westby, 2012 ................................................... 26
Figure 8, I know the acceptable risk level in my daily duties. (You know the acceptable risk level you're allowed
to take during your daily tasks.) Koen Maris, 2013............................................................................................... 27
Figure 9,Enterprise Risk Management program/structure in place Jody R. Westby, 2012................................... 27
Figure 10, Key role risk/security function in place Jody R. Westby governance of Enterprise security ................ 29
Figure 11,Greatest obstacles to improving information security PriceWaterhouseCoopers, Global internet
security survey 2014.............................................................................................................................................. 31
Figure 12, Reasons for not collaborating on information security PriceWaterhouseCoopers, 2013..................... 32
Figure 13, I know the security policy of my company? Koen Maris, 2013............................................................. 33
Figure 14,How many respondents have a formally documented information security policy?
PriceWaterhouseCoopers, Information security breaches survey 2012................................................................ 33
Figure 15, , Any company should have an information security responsible? Koen Maris, 2013 ......................... 35
Figure 16, To whom does your CSO/CISO report? Jody R. Westby, 2012.............................................................. 35
Figure 17, Risk/Security committee are less rare Jody R. Westby, 2012 ............................................................... 38
Figure 18, Which of the following controls have you implemented to mitigate the new or increased risks related
to the use of mobile computing including tablets and smartphones? Ernst & Young, 2012................................. 40
52
Figure 19, How many respondents measure the effectiveness of their security expenditure?
PriceWaterhouseCoopers, Information security breaches survey, 2012............................................................... 41
Figure 20, Have you ever had a any security training ESET survey 2012 .............................................................. 42
Figure 21, How do respondents ensure staff are aware of security threats? PriceWaterhouseCoopers,
Information Security breaches survey, 2012 ......................................................................................................... 44
Figure 22,Why communication with senior executives is not considered effective? Tripwire-Ponemon, The state
of risk based security, 2013................................................................................................................................... 45
53
Bibliography
Allen, J. H. (2007). Governing for Enterprise Security. Carnegie Mellon Cylab, CERT.
CISCO. (2008). The Effectiveness of Security.
Deloitte. (2011). Global risk management survey, 7th edition.
Dutra, A. (2012). A more effective board of directors. Harvard Business Review, 2.
Ernst & Young. (2012). Risk-appetite : the strategic balancing act. Retrieved from
www.ey.com.
European Audit Committee Leadership Network. (2012). Strategy, risk appetite at the board.
Viewpoints.
Harris, S. (2003). CISSP all in one guide second edition.
ISACA. (2006). Information Security Governance: Guidance for boards of directors and
executive management. ISACA.
ISACA. (2010). Business Model for Information Security. ISACA.
ISACA. (2012). COBIT 5.
ISACA. (n.d.). COBIT 5: A Business Framework for the Governance and Management of
Enterprise IT. Retrieved from ISACA:
http://www.isaca.org/COBIT/Pages/default.aspx?cid=1003566&Appeal=PR
NIST. (2006). Information Security handbook: A guide for managers. Special publication
800-100.
Porter, M. (1985). Competitative advantage.
54
PriceWaterhouseCoopers. (2012). Information Security Breaches Survey Technical Report.
PWC.
PriceWaterhouseCoopers. (2013). The Global State of Information Security Survey.
Royal institute of technology. (2011). Assessing Future Value of Investments in Security-
Related IT Governance Control Objectives.
Slater, D. (2009). What is a CSO. Retrieved from CSOonline:
http://www.csoonline.com/article/2124612/it-careers/what-is-a-cso--part-2.html
Solms, S. v. (2008). Information security governance. Springer.
Stanford Graduate School of Business. (2011). Board of Directors: Duties & Liabilities.
Steven De Haes, Ph.D. and Wim Van Grembergen, Ph.D. (2008). Practices in IT Governance
and Business/IT Alignment. ISACA journal, 6.
Tom Scholtz. (2003). The role of corporate information security steering committee.
Retrieved from SCmagazine: http://www.scmagazine.com/the-role-of-the-corporate-
information-security-steering-committee/article/30595/
Tonello, M. (2008). Corporate Governance Handbook: Legal standards and board practices
3rd edition. The conference board.
Tripwire-Ponemon. (2013). The state of risk based security.
University, C. M. (2012). Governance of Enterprise Security: Cylab 2012 Report.
Westby, J. R. (2012). Governance of Enterprise Security. Carnegie Mellon University Cylab.
Retrieved from CyLab Survey Reveals Gap in Board Governance of Cyber Security:
https://www.cylab.cmu.edu/news_events/news/2008/governance.html
55
Wikipedia. (2013). NIST Special Publication 800-53. Retrieved from Wikipedia:
http://en.wikipedia.org/wiki/NIST_Special_Publication_800-53
Wikipedia. (2014). ISO/IEC 27000-series. Retrieved from Wikipedia:
http://en.wikipedia.org/wiki/ISO/IEC_27000-series

More Related Content

What's hot

Enterprise Strategy Group: The Big Data Security Analytics Era is Here
Enterprise Strategy Group: The Big Data Security Analytics Era is HereEnterprise Strategy Group: The Big Data Security Analytics Era is Here
Enterprise Strategy Group: The Big Data Security Analytics Era is HereEMC
 
Social Engineering Role in Compromising Information/Network Security
Social Engineering Role in Compromising Information/Network SecuritySocial Engineering Role in Compromising Information/Network Security
Social Engineering Role in Compromising Information/Network SecurityOladotun Ojebode
 
Metrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationMetrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationChris Ross
 
Jennings it security overview 1 2
Jennings it security overview 1 2Jennings it security overview 1 2
Jennings it security overview 1 2Donald Jennings
 
Whitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingWhitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingRaghuraman Ramamurthy
 
Secure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentsSecure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentse.law International
 
Beyond top secret
Beyond top secretBeyond top secret
Beyond top secretgorin2008
 
Think like a hacker for better security awareness
Think like a hacker for better security awarenessThink like a hacker for better security awareness
Think like a hacker for better security awarenessCOMSATS
 
Top 3 security concerns for enterprises
Top 3 security concerns for enterprisesTop 3 security concerns for enterprises
Top 3 security concerns for enterprisesTaranggg11
 
Ten Security Essentials for CIOs
Ten Security Essentials for CIOsTen Security Essentials for CIOs
Ten Security Essentials for CIOsIBM Security
 
Strategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationStrategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationBooz Allen Hamilton
 
Adopting Intelligence-Driven Security
Adopting Intelligence-Driven SecurityAdopting Intelligence-Driven Security
Adopting Intelligence-Driven SecurityEMC
 
A Guide To SMB Network Security Compliance Research Group(1)
A Guide To SMB Network Security Compliance Research Group(1)A Guide To SMB Network Security Compliance Research Group(1)
A Guide To SMB Network Security Compliance Research Group(1)GuardEra Access Solutions, Inc.
 

What's hot (19)

csxnewsletter
csxnewslettercsxnewsletter
csxnewsletter
 
Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security Risks
 
Enterprise Strategy Group: The Big Data Security Analytics Era is Here
Enterprise Strategy Group: The Big Data Security Analytics Era is HereEnterprise Strategy Group: The Big Data Security Analytics Era is Here
Enterprise Strategy Group: The Big Data Security Analytics Era is Here
 
Social Engineering Role in Compromising Information/Network Security
Social Engineering Role in Compromising Information/Network SecuritySocial Engineering Role in Compromising Information/Network Security
Social Engineering Role in Compromising Information/Network Security
 
Metrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationMetrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in Communication
 
Jennings it security overview 1 2
Jennings it security overview 1 2Jennings it security overview 1 2
Jennings it security overview 1 2
 
Whitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingWhitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcing
 
Secure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentsSecure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documents
 
Beyond top secret
Beyond top secretBeyond top secret
Beyond top secret
 
Think like a hacker for better security awareness
Think like a hacker for better security awarenessThink like a hacker for better security awareness
Think like a hacker for better security awareness
 
Top 3 security concerns for enterprises
Top 3 security concerns for enterprisesTop 3 security concerns for enterprises
Top 3 security concerns for enterprises
 
Pdf7
Pdf7Pdf7
Pdf7
 
Ten Security Essentials for CIOs
Ten Security Essentials for CIOsTen Security Essentials for CIOs
Ten Security Essentials for CIOs
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook Security
 
Security and SMBs
Security and SMBsSecurity and SMBs
Security and SMBs
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec
 
Strategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationStrategic Information Management Through Data Classification
Strategic Information Management Through Data Classification
 
Adopting Intelligence-Driven Security
Adopting Intelligence-Driven SecurityAdopting Intelligence-Driven Security
Adopting Intelligence-Driven Security
 
A Guide To SMB Network Security Compliance Research Group(1)
A Guide To SMB Network Security Compliance Research Group(1)A Guide To SMB Network Security Compliance Research Group(1)
A Guide To SMB Network Security Compliance Research Group(1)
 

Similar to Information Security Governance at Board and Executive Level

Transforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamTransforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamEMC
 
IT Security - Guidelines
IT Security - GuidelinesIT Security - Guidelines
IT Security - GuidelinesPedro Espinosa
 
Jennings it security overview 1 2
Jennings it security overview 1 2Jennings it security overview 1 2
Jennings it security overview 1 2Donald Jennings
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFLaurie Mosca-Cocca
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesSBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesEMC
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfHumphrey Humphrey
 
Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security RisksChris Ross
 
Ast 0079872 1505924-esg_wp_rsa_big_data_and_security_analytics_jan_2013
Ast 0079872 1505924-esg_wp_rsa_big_data_and_security_analytics_jan_2013Ast 0079872 1505924-esg_wp_rsa_big_data_and_security_analytics_jan_2013
Ast 0079872 1505924-esg_wp_rsa_big_data_and_security_analytics_jan_2013drewz lin
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructureAnton Chuvakin
 
Security Strategies for Success
Security Strategies for SuccessSecurity Strategies for Success
Security Strategies for SuccessCitrix
 
Cybersecurity - Whose responsibility is it?
Cybersecurity - Whose responsibility is it?Cybersecurity - Whose responsibility is it?
Cybersecurity - Whose responsibility is it?Armor
 
Industry Overview: Big Data Fuels Intelligence-Driven Security
Industry Overview: Big Data Fuels Intelligence-Driven SecurityIndustry Overview: Big Data Fuels Intelligence-Driven Security
Industry Overview: Big Data Fuels Intelligence-Driven SecurityEMC
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsMarius FAILLOT DEVARRE
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...International Federation of Accountants
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016Ben Browning
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...DFLABS SRL
 

Similar to Information Security Governance at Board and Executive Level (20)

Transforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamTransforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended Team
 
IT Security - Guidelines
IT Security - GuidelinesIT Security - Guidelines
IT Security - Guidelines
 
Jennings it security overview 1 2
Jennings it security overview 1 2Jennings it security overview 1 2
Jennings it security overview 1 2
 
Secure by design
Secure by designSecure by design
Secure by design
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesSBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing Processes
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdf
 
Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security Risks
 
Ast 0079872 1505924-esg_wp_rsa_big_data_and_security_analytics_jan_2013
Ast 0079872 1505924-esg_wp_rsa_big_data_and_security_analytics_jan_2013Ast 0079872 1505924-esg_wp_rsa_big_data_and_security_analytics_jan_2013
Ast 0079872 1505924-esg_wp_rsa_big_data_and_security_analytics_jan_2013
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructure
 
Security Strategies for Success
Security Strategies for SuccessSecurity Strategies for Success
Security Strategies for Success
 
Cybersecurity - Whose responsibility is it?
Cybersecurity - Whose responsibility is it?Cybersecurity - Whose responsibility is it?
Cybersecurity - Whose responsibility is it?
 
Industry Overview: Big Data Fuels Intelligence-Driven Security
Industry Overview: Big Data Fuels Intelligence-Driven SecurityIndustry Overview: Big Data Fuels Intelligence-Driven Security
Industry Overview: Big Data Fuels Intelligence-Driven Security
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
 
ICISS Newsletter Sept 14
ICISS Newsletter Sept 14ICISS Newsletter Sept 14
ICISS Newsletter Sept 14
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
 

Recently uploaded

Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 

Recently uploaded (20)

Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 

Information Security Governance at Board and Executive Level

  • 1. 1 Master Project Information Security Governance: Awareness at the Board of Directors and Executive Committee Author: Koen Maris Promotor(s): Wim Van Grembergen, Steven De Haes
  • 2. 2 Table of Content Table of Content......................................................................................................................... 2 Abstract ...................................................................................................................................... 4 Definitions.................................................................................................................................. 5 Problem statement and research questions................................................................................. 6 Methodology .............................................................................................................................. 8 Identification process.............................................................................................................. 8 Awareness survey:.................................................................................................................. 8 Third party surveys:................................................................................................................ 9 Literature: ............................................................................................................................. 10 Frameworks, methodologies and models ............................................................................. 11 ISO 2700x ......................................................................................................................... 11 COBIT 5............................................................................................................................ 11 ISACA, Business model for Information Security ........................................................... 12 ISC2, Common Body of Knowledge................................................................................ 13 NIST 800-53 ..................................................................................................................... 13 Background on master project.................................................................................................. 14 Information security governance definitions............................................................................ 16 Definition from NIST on information security governance :............................................... 16 Definition from ISACA (2006) ............................................................................................ 17 Information Security Governance at the Board of Directors ................................................... 18 Leadership, strategy and value ............................................................................................. 19 Leadership......................................................................................................................... 21 Strategy ............................................................................................................................. 23 Enabling value .................................................................................................................. 24 Measurement, monitoring and audit..................................................................................... 25 Risk management ................................................................................................................. 27 Identify information security leaders.................................................................................... 29 Information Security governance practices at the Executive Committee ................................ 31 Information Security framework .......................................................................................... 33 Chief Security Officer/Chief Information Security Officer ................................................. 35 Information Security Steering Committee............................................................................ 36 Implementation of information security............................................................................... 39 Monitoring and assessments................................................................................................. 41 Awareness and communication............................................................................................ 42 Conclusion................................................................................................................................ 46
  • 3. 3 Board members..................................................................................................................... 47 Executive management......................................................................................................... 48 End note.................................................................................................................................... 50 Table of Figures ....................................................................................................................... 51 Bibliography............................................................................................................................. 53
  • 4. 4 Abstract Corporate governance and in more specific governance of enterprise IT are important factors in building solid companies that require agile strategies. Difficulties in alignment remain present as not every boardroom recognises the importance of its information technology infrastructure in place at the company. The rapid growth of emerging Internet technologies forced companies to address information security. In the early days companies looked at information security as a solely technical matter, different complex technologies that came with high expenses were available to mitigate risk factors related to the use of the Internet. In a second era, security management practices were integrated in the company structure. The objective of this function is mostly about setting a formal statement by means of policies, standards, procedures and guidelines in order to maintain an adequate level of security. It provides a structured way of organising the information security landscape and monitors the enterprise to keep it in compliance with the integrated policies. Such a formal statement expresses the importance on information security by the executive management and/or the board. Since information security governance is a relative new area it doesn't always receive the required attention such as business support, management support and eventually the necessary budgets to keep Mr Evil out. The reasons why information security is not receiving the required attention are plenty, but a main issue that it is failing to get on the agenda could be that the upper levels of an organisational structure do not receive the information required to get their attention, or that companies are risk taking instead of risk averse or it seems impossible to identify value for the business. Security is about avoiding something, where a new application is about adding functionality in order to increase efficiency, production etc… Unfortunately, security is still seen as a business disabler.
  • 5. 5 Definitions This chapter explains the terms and definitions used that could cause doubt or misinterpretation. Awareness: knowledge or perception of a situation or fact (Oxford dictionary) Security awareness: Security awareness is the extent to which staff understands the importance of information security, the level of security required by the organisation and their individual security responsibilities. (Standard of Good Practices for Information Security, ISF) Risk appetite: The amount and type of risk an organization is willing to accept in pursuit of its business objectives. Risk tolerance: The specific maximum risk that an organization is willing to take regarding each relevant risk. ISMS (information security management system): "An information security management system (ISMS) is a set of policies concerned with information security management or IT related risks. The idioms arose primarily out of BS 7799."(Wikipedia, 2013) CRO: Chief Risk Officer CSO: Chief Security Officer, covers all security aspects those outside IT as well CISO: Chief Information Security Officer, in charge of information related security, not physical aspects
  • 6. 6 Problem statement and research questions Information security is often associated with technology, which makes it difficult to get it on the radar of the executives and board members. Anything that is technology related is by default classified as boring, not interesting, expensive and never works for exec's and board members. The omnipresence of information technology makes it the lifeblood of most organisations. It would difficult to imagine a company not relying on information technology, perhaps for a short period of time it could survive, but in the long run it would not be sustainable. And in the most recent years it would be even more difficult to think in business terms without being connected to the Internet. Imagine that your company would not have a working email system for a few days, or no possibility to connect to a branch office because the Internet service is not working properly. This dependence on technology and the Internet will only increase in the upcoming years due to cloud technologies, VOIP, BYOD etc… Julia H. Allen (2007) states, that the interest of the decision makers in today's organisations is not proportional with the dependence on technology and their related information security issues. Executive managers, business managers and even the members of the board do not necessarily understand the complex nature of information security. As a result little interest is shown in the matter and in a worst case security is considered an expense or a discretionary budget-line item. Worthwhile to see how companies' board and executive management have the knowledge or import the knowledge in their working environment to cope with complexity and rapid changing information security technology. It appears that information security staff and business managers are too far out of sync in order to define appropriate solutions offering a balance between risk and business value. In any case risk based management has still its merits, but like information technology, the information security needs to align with business requirements and the risk appetite business
  • 7. 7 is willing to take. Those benefitting from security and those responsible for security have different interests and different goals. Higher risk appetite becomes the reason to deny additional budgets to information security which indirectly contributes to the idea that management knows they need to address security but they don't for various reasons. Research questions: Which level of information security governance “awareness” is present at the level of Board of Directors and executive management in a contemporary enterprise?  Which practices (structures, procedures) have been identified?  To what extent are these practices considered effective?  Which practices are well adopted in today's enterprise?  What are the main drivers for implementing these practices? Conceptual model:
  • 8. 8 Assumptions: In today's contemporary enterprises there is some awareness level at the Board of Directors and Executive Committee. However a clear enterprise wide strategy on information security is often not present and in the best case immature if present. Resulting in limited financial support, lower budgets and an ad-hoc approach when it comes down to information security. Methodology The research in this paper is performed on available literature, both academic and from the business environment, survey's publically available done by academics and consultancy firms and a survey I've performed among a small number of board of directors and executive managers. The empirical findings come from public available reports and surveys performed by mayor consultancy firms and some renowned academic institutions. Identification process In all consulted literature there were common practices present which one might expect from board members and executive management when it comes down to information security, these are used as the basis in the identification process. Board of Directors have some tasks, such as leadership, which are not a one to one mapping against a well-known procedure and/or structure as found in most literature. In such a case there are multiple parts to explain the practice with the relevant information and statistics in order to have some insight on how well it is adopted and how effective its usage is. Awareness survey: A custom developed survey containing some basic governance practices inspired on the 33 practices from De Haes & Van Grembergen (2008) and the most important ones are
  • 9. 9 confirmed by a group of security professionals that responded on a survey. The target audience for the survey enquiry is based on:  Board members with different backgrounds (different industries)  Executive management, with different job functions  Mid management, typical team leaders, project manager non-executive management  Administration, consultants, business architects, administrative personnel Together with peers from the information security field we decided to limit the survey to the most important practices. Peers are asked to identify at least 3 practices that are key in establishing a successful information security program. We concluded that the most important practices to measure are( in order of importance):  An information security responsible in the company  A formal information security policy in place  Communication of information security across the company  Risk appetite statement Third party surveys: A collection of surveys conducted by mayor consultancy firms is used addressing information security management/governance, risk management/governance, security reporting on breaches etc… These reports contain surveys conducted by these large consultancy firms, with a large respondent's base varying different types of industries, different levels of hierarchy and different types of job functions. Most of the surveys come in a form of official report where statistics are used to underpin the end conclusion present in the report.  PriceWaterhouseCoopers: Global Internet Ssecurity Ssurvey 2014 Respondents: 9600 executives from 115 countries, cross industry
  • 10. 10  PriceWaterhouseCoopers: Information Security Breaches Survey 2012 Respondents: 447 organisations, 46% >500 employees  Ernst & Young: Fighting to close the gap, 2012, cross industry Respondents: 1836 executives from 64 countries, cross industry  Jody R. Westby Carnegie Mellon, Governance of Enterprise Security 2012 Respondents: 108 board or senior executives from Forbes Global 2000 companies Half of the respondents are board members, and the other half are non-director senior executives. Twenty-four percent (24%) of the respondents are board chairs and 44% are on Audit, Governance or Risk committees. Jody R. Westby (2012)  Deloitte: Global Risk Management Survey 2011 Respondents:131 financial institutions  Deloitte: State governments at risk: a call for collaboration and compliance 2012 Respondents: 50 CISOs (48 states and two territories) USA only  Tripwire-Ponemon: The state of risk based security 2013 Respondents: 1,320 professionals in IT security, information risk management and IT operations in the United States and the United Kingdom Literature: Academic publications, books and papers released by consultancy firms, vendors of security products and information security related organisations are included to gather information on information security governance practices, the drivers behind information security governance, the practices used and to see how effectiveness is measured.
  • 11. 11 Frameworks, methodologies and models The frameworks, methodologies and models used in this paper have similar approaches in addressing information security. The similar approaches, practices and structures, identified are used as the starting point to identify the practices described in this paper. ISO 2700x The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27k' for short) comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The series provides best practice recommendations on information security management, risks and controls within the context of an overall information security management system (ISMS), similar in design to management systems for quality assurance (the ISO 9000 series) and environmental protection (the ISO 14000 series). The series is deliberately broad in scope, covering more than just privacy, confidentiality and IT or technical security issues. It is applicable to organizations of all shapes and sizes. All organizations are encouraged to assess their information security risks, then implement appropriate information security controls according to their needs, using the guidance and suggestions where relevant. Given the dynamic nature of information security, the ISMS concept incorporates continuous feedback and improvement activities, summarized by Deming's "plan-do-check-act" approach, that seek to address changes in the threats, vulnerabilities or impacts of information security incidents. (Wikipedia, 2014) COBIT 5 COBIT 5 helps enterprises create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use. The framework addresses both business and IT functional areas across an enterprise and considers the IT-related interests of
  • 12. 12 internal and external stakeholders. Enterprises of all sizes, whether commercial, not-for- profit or in the public sector, can benefit from COBIT 5. In this paper the emphasis of COBIT is put on risk and information security, in parallel to the standard COBIT enabler processes guide I've consulted COBIT 5 for Information Security and COBIT 5 for Risk Management. ISACA, Business model for Information Security The Business Model for Information Security provides an in-depth explanation to a holistic business model which examines security issues from a systems perspective. Explore various media, including journal articles, webcasts and podcasts, to delve into the Business Model for Information Security and to learn more about how to have success in the IS field in today's market. (ISACA, 2010)
  • 13. 13 ISC2, Common Body of Knowledge The (ISC)² Common Body of Knowledge is a taxonomy - a collection of topics relevant to information security professionals around the world. The (ISC)² Common Body of Knowledge establishes a common framework of information security terms and principles which allows information security professionals worldwide to discuss, debate, and resolve matters pertaining to the profession with a common understanding, from Shon Harris (2003). I've not used this book actively but a great deal of my knowledge on information security management started by getting the CISSP credential that I've obtained in 2004. Therefore I consider it as important in this paper. NIST 800-53 NIST Special Publication 800-53, "Recommended Security Controls for Federal Information Systems and Organizations," catalogs security controls for all U.S. federal information systems except those related to national security. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Management Act of 2002 (FISMA) and to help with managing cost effective programs to protect their information and information systems.(Wikipedia, 2013)
  • 14. 14 Background on master project Information security and cyber security are since a few years hot news items, it is impossible to think that a day goes by without a high profile security incident in the news. These incidents contributed to an information security approach that is addressed in an ad-hoc modus. The information security people of today are the firemen of your network boundaries and systems. They keep your house in an acceptable shape when the fire breaks loose. But these firemen should be the last resort to rely on. In our society we try to avoid calling these firemen and we do not rely on them to monitor and warn us when something happens since this is a shared responsibility between the government, society (you and me) and the firemen. Information security in the corporate world requires to be treated as a shared responsibility too in order to obtain an adequate level of acceptance, success and financial support. The board and executive management have to keep oversight and implement rules and policies. Staff should apply the rules and inform, whenever required, the firemen upon detection of anomaly. Like in our society controls have to be put in place to ensure the rules and policies are lived by. The biggest issue to achieve this yet so seemingly easy solution is that information security and technology change at high velocity. Something secure today could suffer a zero-day exploit by tomorrow and a day after it could be a gaping hole in your fortress. Preparedness is key; therefore information security should be on the board agenda's and integrated into the corporate governance process. The difficulty remains in aligning the triangle of business, IT and information security.
  • 15. 15 Some facts and figures from Kaspersky (2013)  Maintaining information security is the main issue faced by company’s it management  In past 12 months, year 2012, 91% of the responding companies had at least one external incident and 85% have reported internal incidents  A serious incident can cost a large company an average of $649,000; for small and medium-sized companies the bill averages at about $50,000.  A successful targeted attack on a large company can cost it $2.4 million in direct financial losses and additional costs.  For a medium-sized or small company, a targeted attack can mean about $92,000 in damages – almost twice as much as an average attack.  Information leaks committed using mobile devices – intentionally or accidentally – constitute the main internal threat that companies are concerned about for the future. The seriousness of threats, the costs and the high volume of attacks show that information security is to be taken seriously by any organisation, whether small or big. Not speak about all privacy and data related issues such as we experienced in 2013 by the leakage of confidential data of Edward Snowden. It also pinpoints that the internal threat is becoming increasingly more important.
  • 16. 16 Information security governance definitions Currently there is myriad of different definitions for an identical idea or concept. Unfortunately there is no silver bullet that answers it all. This chapter outlines some definitions taken from respectable bodies across the globe, though this list is not exhaustive. Some of the key goals of an information security programme are to protect the company's assets, reduce risk, set rules and provide compliance with law and regulation. In other words, it protects assets against theft, misuse, unavailability, unauthorised disclosure, tampering, legal liability etc... A successful information security governance approach demands full integration into the corporate strategy and enterprise governance, aligned with IT and contributes to the overall success of the company from ISACA, guidance for board and directors (2006). The omnipresence of information security in IT demands a new culture, transforming from the buying a solution approach to a security aware culture in today's enterprises. By setting the tone at the top, a company can transform its current culture into an information security aware environment. There are a rife of frameworks and standards available to provide guidance in this complex task to cover all information security related subjects a company has to deal with such as the ISO 27001(2) ISMS framework, COBIT for security, NIST 800-53 publication etc… Definition from NIST on information security governance : Information security governance can be defined as the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.(NIST,2006)
  • 17. 17 Information security governance is more than just setting tone and strategy, to receive buy-in from the Board of Directors and senior management one needs to be able to express some potential benefits in apply good information security governance. Definition from ISACA (2006) An information security governance framework generally entails:  A comprehensive security strategy explicitly linked with business and IT objectives  An effective security organisational structure  A security strategy that talks about the value of information protected and delivered  Security policies that address each aspect of strategy, control and regulation  A complete set of security standards for each policy to ensure that procedures and guidelines comply with policy  Institutionalised monitoring processes to ensure compliance and provide feedback on effectiveness and mitigation of risk  A process to ensure continued evaluation and update of security policies, standards, procedures and risks
  • 18. 18 Information Security Governance at the Board of Directors Understanding the role of the Board of Directors in information security governance requires one to have a look on how it interacts with corporate governance and what tasks do the Board of Directors exercise in that context. The mandate of a director of the board is dual, from Stanford (2011):  Advisory: consult with management regarding strategic and operational direction of the company.  Oversight: monitor company performance and reduce agency costs This translates to a set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly, from ITGI/ISACA (2003). Risk management is one of the key elements in Information Security Governance, defining risk and setting the tone by defining the risk appetite level is one of the practices required. Additionally, information security governance requires strategic direction and impetus. It 0% 20% 40% 60% Regularly Occasionaly Rarely or never Figure 1, Does your board regularly, occasionally, rarely or never complete the following actions? Jody R. Westby, 2012
  • 19. 19 requires commitment, resources and assignment of responsibility for information security management, as well as a means for the board to determine that its intent has been met. ISACA (2006) states, experience has shown that the effectiveness of information security governance is dependent on the involvement of senior management in approving policy, and appropriate monitoring and metrics coupled with reporting and trend analysis. The literature research results in the following list of responsibilities and/or tasks expected to be taken up by the Board of Directors in the context of Information Security Governance.  Risk Management, setting the tone by defining the risk appetite  Identify information security leaders, provide resources and support  Direction, strategy and leadership, put information security on the board's agenda  Ensure effectiveness of the information security policy  Integrate a strategic committee  Staff awareness and training  Measurement, monitoring and audit Are these practices also exercised by the board members, to what extent are these considered effective? Leadership, strategy and value According to S.H von Solms/R. von Solms (2009), information security is a direct corporate governance responsibility and lies squarely on the shoulders of the Board of a company. It emphasizes the fact that everybody in the company has an information security responsibility – from the Chairperson of the board to the newest junior secretary.
  • 20. 20 ISACA (2006) states that information security is a top-down process requiring a comprehensive security strategy that is explicitly linked to the organisation’s business processes and strategy. Ana Dutra (2012) finds that board composition is a serious impediment, if not done right. Today’s challenges require new perspectives and skills. But boards often lack the ability to objectively evaluate their makeup to determine if they have the right people and skills at the table. Jody R. Westby (2012) discovered in a recent study that boards still underestimate the importance of the relatively new expertise domains such as Information technology and risk and security. However the report indicates progress, 27% of the respondents indicated that they their board had an outside director with cyber security experience, up from 18% in 2010. And 64% of the respondents think it is very important to have risk and security experience when hiring a new director. Although the importance on risk and security knowledge seems fair it is still low compared to skills like management and financial knowledge especially when looking on the importance and the dependence on technology and the Internet. 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Very important or important Somewhat important Not important Don't know Figure 2, How important is each type of experience when recruiting new directors? Jody R. Westby governance of Enterprise security
  • 21. 21 Leadership According to ISACA (2006) information security governance consists of the leadership, organisational structures and processes that safeguard critical information assets. Though, in this paper the focus lies on the outcomes expected by the ISACA report as they show results of leadership. The expected results are:  Risk management by executing appropriate measures to manage and mitigate risks and reduce potential impacts on information resources to an acceptable level  Resource management by utilising information security knowledge and infrastructure efficiently and effectively  Performance measurement by measuring, monitoring and reporting information security governance metrics to ensure organisational objectives are achieved To achieve the outcomes a company requires some concrete practices. Some identified practices are almost a one to one mapping with the outcomes where others are practices that provide input to obtain the expected outcome.  Review of annual budgets Fifty-three percent (53%) of respondents said their board rarely or never reviewed and approved annual budgets for privacy and IT security programs, finding by Jody R. Westby (2012).  Review roles and responsibilities Fifty-six percent (56%) of respondents indicated their board rarely or never reviewed and approved roles and responsibilities of personnel responsible for privacy and security risks, finding by Jody R. Westby (2012).  Review of top level policies Forty-one percent (41%) of respondents said their board rarely or never reviewed and
  • 22. 22 approved top-level policies regarding privacy and security risks, finding by Jody R. Westby (2012).  Leadership of CEO, president or board 23% of the respondents see the lack of leadership as an important obstacle in the overall strategic effectiveness of their organisation's security function, from PriceWaterhouseCoopers (2012)  Establish a risk committee of the board of directors Only 28% of the respondents reply to have a risk committee with board members included, according to Deloitte (2011)  Add board members with risk experience 19% of the respondents have risk experienced members added or present in their current board according to Deloitte (2011) Many boards across the world are starting to get information security governance into their activities. However these practices are not widely adopted yet and there is limited or no information on how well these are integrated and to what extent can these be considered effective. Perhaps the only part of the practices that has a head start is by far risk management and/or risk governance which is traditionally covered in order to protect a company from financial risks etc… Boards are actively addressing risk management, but there is still a gap in understanding the linkage between cyber security risks and enterprise risk management, according to Carnegie Mellon Univeristy-Jody R. Westby (2012). The leadership levels in a company regarding information security are still on the lower side. The fact that almost half of the respondents do not even review budgets and that more than 40% of the respondents are not reviewing the official statement set in the form of a policy is extremely cumbersome and worrying.
  • 23. 23 Strategy Defining a strategy and setting direction is a crucial aspect in any governance domain, whether information security, risk or any other. The majority of the literature consulted for this thesis states that any information security strategy needs to be aligned with the business strategy in order to achieve some results, acceptance and the required budgets adequate to execute the strategy. Similar to the leadership chapter, the results are focussed on the expected outcomes according to the ISACA document "guidance for Board of Directors and Executive management".  Strategic alignment of information security with business strategy to support organisational objectives  Performance measurement by measuring, monitoring and reporting information security governance metrics to ensure organisational objectives are achieved  Value delivery by optimising information security investments in support of organisational objectives Aligning the business strategy and the information security strategy are key factor in good governance practices. A study conducted by PriceWaterhouseCoopers (2014) states that 68% of the respondents assume their information security strategy is aligned with the business needs. However a similar survey conducted in 2012 by Ernst & Young say that only 42% have their information security strategy aligned with their business strategy. About 54% of the respondents state that they discuss information security topics in the boardroom on a quarterly basis or even more frequently. However the remaining 46% never 0% 20% 40% 60% 80% Fully aligned Partitially aligned Figure 3, Does your function meets the organisational requirements? EY, Fighting to close the gap, 2012
  • 24. 24 or almost never discuss the topic in the boardroom. Nonetheless, many respondents feel that the information security function is not meeting up to the organisational need, a minority thinks/feel they are fully aligned. Note: there is in fact one year difference between both reports, the PriceWaterhouseCoopers report is released in 2014 with data based on 2013, the EY report contains data and conclusions from 2012. According to Tripwire-Ponemen (2013) improvements in commitment to risk-based security management haven’t translated to a wider acceptance for a strategic approach to risk management among organizations. Nearly half of the respondents describe their risk-based security management approach or strategy as ‘non-existent’ or ‘ad hoc’ (46% U.S. and 48% U.K.) In contrast, only 29% (U.S.) and 27% (U.K.) have a risk-based security management strategy applied consistently across the enterprise. The fact that leadership practices regarding information security are relatively poor translates into the strategy and alignment part. There is some level of alignment however there is a lot of room for improvement. Enabling value It is no secret creating business value when it comes down to information security seems for many information security practitioners an impossible task today. I will not go into detail on the reasons why or why not, since there is little to no academic information to be found. However in order to create something that is perceived as valuable to business there must be some alignment or at least interest from both groups to cooperate on the issue. 0% 20% 40% 60% Significant… Moderate… Little involvement No involvement Figure 4, Organizational involvement in aligning risk- based security management with business objectives Tripwire,2013
  • 25. 25 Undoubtedly one of the biggest challenges is to obtain some organisational involvement in aligning risk based security management with business objectives as shown in Figure 4. When measuring value in regard of information security it is mostly looked at in terms of reduced negative consequences from security incidents generated from investments in control objectives according to Royal Institute of Sweden (2011). In that regard it remains an almost impossible task to convince business that security is a value enabler. Providing metrics is often an argument used, however a study from Tripwire-Ponemon (2013) states the most obvious remark in that respect, 50% of the respondents in the USA and UK say that the information is too technical to be understood by non-technical management. The same study reveals that 40% of the respondents only communicate with senior management when there is an actual incident. This is by far the worst time frame to start a constructive and positive dialogue with senior management. Measurement, monitoring and audit An important aspect in governance is monitoring and measuring performance, security, and finance in fact any topic deemed important for the good functioning of the business. When looking into COBIT 5 many processes have an output to the process MEA02 (Monitor, Evaluate 68% 64% 56%48% 35% 27% 19% 15% 15% 14%5%4% Assessments performedby internal audit function Internal self- assessments by IT or information security function Assessment by external party Monitoring and evaluation of security incidents and events In conjunction with the external financial statement audit Benchmarking against peers/competition Evaluation of information security operational performance Formal certification to external security standards Figure 5, How does your organisation assess the efficiency and effectiveness of information security? EY, Fighting to close the gap, 2012
  • 26. 26 and Assess the system of internal control) which defines the importance of good monitoring capabilities to achieve governance. A company has an arsenal of possibilities to monitor and assess. A well-known monitoring tool is audit, whether internal or external. Undoubtedly any company that has a reputation to defend has some form of internal audit and performs on a regular basis an external control; mostly these actions are driven by compliance standards, industry regulations or by law. In the field of information security a company can add additional controls such as self-assessments, monitoring incidents; monitoring costs etc… these help a company in assessing the efficiency of their information security strategy. Internal audit is by far the most important tool used to assess the performance and reporting on progress to achieve the organisational objectives. For a board of a company audit and an audit committee are an important reporting line to receive an objective status on how the company is performing and what the status is on different aspects of governance. Though, only a limited number of companies have a strict segregation between the risk committee and the audit committee which creates a conflict of interest. Only 8% of respondents said their boards have a Risk 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 2008 2010 2012 Figure 7, Seperate risk committee and audit committee Jody R. Westby, 2012 Figure 6, Subject actively addressed by the board Jody R. Westby, 2012 0% 20% 40% 60% 80% 100% Responsibilities of senior… Risk management IT operations Computer and information… Mergers and acquisitions Long term strategy & operations Vendor management Compliance 68% 91% 29% 33% 92% 95% 13% 92%
  • 27. 27 Committee that is separate from the Audit Committee, and of this 8%, only half of them oversee privacy and security. Audit Committees should not be responsible for establishing privacy and security programs and then also auditing them. This is an obvious segregation of duties issue at the board level, according to Jody R. Westby (2008). But as shown in Figure 6 the situation is improving, companies are separating the duties into different committees. As a consequence the Audit Committee responsibility for oversight of risk dropped from 65% in 2008 to 35% in 2012, from Carnegie Mellon University -Jody R. Westby, (2012). Risk management Boards play a crucial role in risk oversight. Directors at corporations are encouraged to embrace entrepreneurial risk and pursue risk-bearing strategic operations, according to Matteo Tonello (2008). Apart from economical stance the main driver for Enterprise Risk Management is compliance with regulatory bodies and legal constraints. Though a useful risk approach delivers advantage for any company and avoids abrupt business interruption. Information risk management does not differ that much, it is mostly driven due to regulations. As shown in Figure 7, up to 91% of the companies have a form of risk management. Sabarnes-Oxley contributed to move companies to address risk 0% 20% 40% 60% 80%100% Strongly Agree Agree Neutral Disagree Strongly disagree Exec's Board Figure 8, I know the acceptable risk level in my daily duties. (You know the acceptable risk level you're allowed to take during your daily tasks.) Koen Maris, 2013 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 2008 2010 2012 Figure 9,Enterprise Risk Management program/structure in place Jody R. Westby, 2012
  • 28. 28 whether business or information related. Whether these approaches have been efficient remains difficult to measure, the recent years showed that too many times companies have taken too much entrepreneurial risk and jeopardising the entire enterprise and perhaps even one of the causes of the economic turmoil the world is in. It might look a problem only within the financial sector but other industries suffered as well because they did not take into account the risk of bankruptcy for big institutions. When it comes down to information security we can see similar events, the risk any enterprise faces when using the modern technologies seem to be misjudged or the risk appetite set is insufficiently articulated and/or too high. This gives attackers an edge and it gives them a great arsenal of attack vectors since outdated and well- known attacks are still present and used. Performing a risk assessment is important in mitigating risks but the success depends on other important factors in the risk management approach such as defining risk appetite statement and has it approved by the board of directors. In the context of Information Security very little information is available. Risk appetite is known by the board and executive members, there is a slight difference when looking at Figure 8. However it seems that the communication is about it is trailing behind. If we look at the broader context of Enterprise Risk Management a study of Deloitte (2011) shows that only 67% of the boards approved a risk appetite statement. Designing risk management without defining your risk appetite is like designing a bridge without knowing which river it needs to span. Your bridge will be too long or too short, too high or too low, and certainly not the best solution to cross the river in question, stated by E&Y (2012). But judgement of risk and the risk appetite is subjective for each individual. When asking board members if they’d take more risk if that could help them to achieve their goals and get their bonuses about 16% would agree, in the executive ranks about 30% would agree to do so according to my survey (2013). According to a report from the European Audit Committee
  • 29. 29 Leadership Network (2012), good risk management does not imply avoiding all risks at all cost. It does imply making informed and coherent choices regarding the risks the company wants to take in pursuit of its objectives and regarding the measures to manage and mitigate those risks. In an ERM system that lacks a well-articulated risk appetite framework, a business unit that reports no risks requires no action. Identify information security leaders The CRO is the most senior official of the enterprise who is accountable for all aspects of risk management across the enterprise. An IT risk officer function may be established to oversee risk within the IT departments. In some enterprises the CEO will be charged with chairing the committee, per delegation by the board to oversee the day-to-day risk in the enterprise, when there is no specific CRO role (COBIT 5 for risk, 2013). The CRO title is being used by security savvy companies that understand the need to integrate IT, physical, and personnel risks and manages them through one position. Less than two thirds of the Forbes Global 2000 companies responding to the survey have full-time personnel in key roles responsible for privacy and security in a manner that is consistent with internationally accepted best practices and standards, according to Jody R. Westby (2012). The CRO function undoubtedly has a crucial role in the overall risk setting of a company especially if there is a direct connection between the CRO and the board. Other statistics show that up to 68% of the CRO functions have a direct reporting line to the board where 33% of 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% CISO CSO CPO CRO Yes No Don't know Figure 10, Key role risk/security function in place Jody R. Westby governance of Enterprise security
  • 30. 30 the CRO's state that they meet the board when needed, in other words ad-hoc, 35% of the respondents claim to have board meetings quarterly (executiveboard.com, 2008). Twenty-six percent (26%) of respondents said their board rarely or never received reports from senior management regarding privacy and IT security risks; an additional 33% said they occasionally got such reports. Thirty-nine percent (39%) said they regularly received reports on privacy and IT security risks. Board members are risk aware, whether they are risk averse or risk taking they are used to make decisions based on a risk report. Parts of the risks are translated into a strategy and are put in place by a Chief Security Officer. I wasn’t able to find a study to underpin the fact if a CISO/CSO should or should not report directly to a board either via a committee or during a board meeting.
  • 31. 31 Information Security governance practices at the Executive Committee In today’s interconnected world in which companies conduct business it would be virtually impossible to neglect and ignore the importance of information security across the organisations. Many enterprises have a form of information security management and address the technical issues related to protecting their information assets. Only a minority of companies have a strategy in place, aligned with the company strategy. The lack of information security strategy embedded into the corporate governance results in undercut budgets, limited support and eventually ending up with a less or inefficient information security programme leaving a company vulnerable. Many frameworks, models, methodologies or best practices are readily available addressing the importance of information security and how it should be incorporated into the overall structure of the company. I’ve identified a set of practices and structures by searching the common parts in the previously mentioned frameworks, methodologies, models and standards. As a starting point I’ve used the 33 practices from De Haes & Van Grembergen (2008) since these cover a wide range of practices recognised as important factors in achieving alignment between a business strategy and an IT strategy of an enterprise. Since information security is closely related to information technology hence the reason that I’ve opted to include these practices. 0% 20% 40% Insufficient capital expenditures Lack of vision on how future business needs impact security Lack of information security strategy Insufficient operational expenditures Figure 11,Greatest obstacles to improving information security PriceWaterhouseCoopers, Global internet security survey 2014
  • 32. 32 An important barometer to check whether information security can have a level of success is to see if the budgets are in line with the expectations of business and with the risk exposure and risk appetite a company is facing. As with many new technologies, being the unknown in the group does not help to gain confidence. While most security stakeholders agree that action should be taken to improve information security, there appears to be little consensus on the challenges to achieve it. We asked respondents to identify the greatest obstacles to better security. The answers revealed a wide range of diverging opinions and, in some cases, finger pointing, concluded by PriceWaterhouseCoopers (2013). 0% 5% 10% 15% 20% 25% 30% 35% Do not want to draw attention to potential weaknesses Are concerned that a competitor would use such information to… No one competitor is considerably more advanced than others Distrust our competitors Large organisations with more financial resources would use… Figure 12, Reasons for not collaborating on information security PriceWaterhouseCoopers, 2013
  • 33. 33 Information Security framework The information security framework provides a set of documents encompassing policies, standards, guidelines and procedures, as defined in the ISO 27001:2013 standard. One of the crucial parts in the formalisation process is the, approved by senior management, integration of an information security policy in the entire organisation. The information security policy typically outlines the rules on how to conduct business in a secure fashion the do’s and don’ts when it comes down to the usage of the company’s assets. When looking in depth into the COBIT5 framework, we can see a shift from a merely operational approach to a more management approach when it comes down to information security. And we can see a clear top down approach since managing risk is considered at the governance level within the COBIT5 framework. Information security is no longer considered a pure operational part within your organisation. In COBIT5 it is represented in APO013 (Align, Plan and Organise), this process requires an input from an external source which would be the ISMS in place, for example ISO2700x based but could also be a proper set of policies, standards and guidelines from a company. 95% 63% 67% 0% 20% 40% 60% 80% 100% 2012 - large organisations 2012 - small organisations 2010 - small organisations Figure 14,How many respondents have a formally documented information security policy? PriceWaterhouseCoopers, Information security breaches survey 2012 0% 20% 40% 60% 80% Strongly Agree Agree Neutral Disagree Strongly disagree Board Exec Overall Figure 13, I know the security policy of my company? Koen Maris, 2013
  • 34. 34 A survey executed by PriceWaterhouseCoopers (2012) shows a positive trend in the progress of developing a formal statement such as an information security policy, at least for the large organisations. It shows that companies, management and board, add importance to information security. Though having a security policy in place says little about the maturity of the processes required executing the security rules in a correct manner and it does not show any level of assurance that it is kept up to date and reviewed on a regular basis. Another issue that arises is that a policy can have many forms, one better than the other. Some companies consider just an acceptable use policy as sufficient where others have a very detailed and granular approach in addressing the information security issues of their company. Ideally a clear strategy is set and communicated by senior management, such a statement provides a clear message to all staff that information security is taken seriously in the organisation and that it is part of day-to-day business. The majority of the respondents agreed to know the security policy/strategy of their company, a knowing or awareness level is present at the top level of the company. However a small percentage disagreed, and there is some discrepancy between the fact that the majority of the people replied and/or believe that there is an information security policy present in the company and the fact that have some knowledge about its content. This trend is confirmed by a survey performed on behalf of PriceWaterhouseCoopers (2012) stating: Possession of a security policy by itself does not prevent breaches; employees need to understand it and put it into practice. Only 26% of respondents with a security policy believe their employees have a very good understanding of it; 21% think the level of staff understanding is poor .
  • 35. 35 Chief Security Officer/Chief Information Security Officer Any company of a reasonable size requires in the today's corporate environment a designated responsible for addressing the information security requirements, obligations, reporting etc… In the majority of the today's companies you'd be able to identify such a person; however his title or position might be anything from chief information security officer to data/privacy officer or even IT security officer. Immediately one of the difficulties arises, attach him/her to IT or to a business related function. In addition the responsibility oftentimes arrives in the hands of a Chief Finance Officer, Chief Information Officer or even the IT-manager. Though having an information security function does not say anything on the success of this function and the quality of the information security programme carried out across the organisation. An important aspect in the success and acceptance of a good information security programme is the reporting line, there is a lot of discussion on this topic and today there is no prescriptive rule to apply to. If the reporting line is too closely related to the IT function or direction such as with a CIO it could create a separation of duty issue. The latter would give the CIO the possibility to overrule an information security decision made by the security officer. But if the 0% 10% 20% 30% 40% CEO/COO CFO CIO General counsel Chief Audit Officer Other Figure 16, To whom does your CSO/CISO report? Jody R. Westby, 2012 0% 10% 20% 30% 40% 50% 60% Board Exec Overall Figure 15, , Any company should have an information security responsible? Koen Maris, 2013
  • 36. 36 CISO/CSO is only responsible for IT related matters it would make sense to make him/her report to a CIO instead to somebody else within the organisation. In addition, the CIO may interfere with security procurements by favouring certain vendors or products without understanding the technological differences between the products, states Jody R. Westby (2012). Michael Porter(1985) states that if you remove friction and solder smoother connections, you are providing a basis for competitive advantage for your organization. When applying that logic to a CSO/CISO role it should be a transversal role in the company. And according to Derek Slater(2009) the CSO/CISO should be guiding the executives in detecting common challenges in a way that facilitates cooperation between departments. Information Security Steering Committee An information security steering committee provides a means to ensure good practice and that information security is applied effectively and consistently over the enterprise. (Cobit 5 for security). The report Guidance for Boards of Directors from ISACA (2006) states that a steering committee serves as an effective communication channel for management’s aims and directions and provides an ongoing basis for ensuring alignment of the security programme with organisational objectives. It is also instrumental in achieving behaviour change toward a culture that promotes good security practices and policy compliance. According to an article in Tom Scholtz(2003) an information security steering committee must have a clear charter with a range of functions that should include but not be limited to  Managing the development and executive acceptance of an enterprise security charter.  Assessing and accepting corporate-wide security policy (e.g., the corporate policy on security incident response, general behavioural policy). A major objective of this
  • 37. 37 function is ensuring that business requirements are reflected in the security policy, thus ensuring that the policy enables rather than restricts business operations.  Assessing any requests for policy exceptions from individual business units.  Assessing, accepting, and sponsoring corporate-wide security investment (e.g., identity infrastructure deployment, remote access infrastructure), as well as requests to be excluded from common investment.  Providing a forum for discussion and arbitration of any disputes or disagreements regarding common policy or investment issues.  Acting as custodian and governance body of the enterprise security program by ensuring visible executive support, as well as monitoring progress and achievements. The role of a permanent governance structure reinforces the message that enterprise security becomes an ongoing, long-term initiative.  Assessing and approving the outsourcing of common security services, as well as coordinating investment in appropriate relationship management resources. As the lack of skilled resources increases the need to outsource operational services, executive due diligence, risk assessment, and ongoing effectiveness assessment must be coordinated through the steering committee.  Initiating ad hoc projects to investigate the advantages, disadvantages, risks, and cost of common security initiatives, and advising the committee with appropriate recommendations.  Representing the executive (board of directors) or its nominated information governance body (e.g., an information executive board) in all corporate security matters. Reporting back to these forums on the activities and effectiveness of corporate security programs and investments.
  • 38. 38  Acting as custodian of corporate-wide strategic security processes (e.g., role analysis, data classification) by validating process ownership, responsibilities, and stakeholders.  Acting as respondent to enterprise-level audit exceptions (i.e., those audit exceptions where a specific individual cannot be found to be responsible).  Coordinating and validating any external, security-related corporate communications plans and activities (e.g., in the event of a high-profile, publicized security breach).  Tracking major line-of-business IT initiatives to identify opportunities for synergy or to leverage security investment.  Governing trust relationships with major e-business partners. Nonetheless the importance of such a committee and the mandate it carries I can only determine a low level of presence of such a committee according to the information found in the surveys. According to the survey performed by Tripwire-Ponemon(2013) only 15% of the companies have a meeting organised on a regular basis, which in this survey means annual, quarterly or semi-annual. In a PriceWaterhouseCoopers(2012) survey it was noted that only 47% of the respondents had an information security steering committee in place. Jody R. Westby (2012) her survey as shown in Figure 17 is a little more positive but the fact that risk is 0% 20% 40% 60% 80% 100% Audit committee Governance/compliance… Risk/Security committee IT committee Figure 17, Risk/Security committee are less rare Jody R. Westby, 2012
  • 39. 39 included could have an impact on the result. These results seem low especially when considering the IT strategy committee regarded as an efficient practice and reasonably easy to integrate in an organisation according to De haes & Van Grembergen(2008). It remains difficult to identify a direct cause of why an information security steering committee is only present in a limited number of companies. The reason might be found in the bottom up approach of reporting since the majority of security professionals find that their information is too technical and will not be understood by non-technical management according a Tripwire-Ponemon(2013) study. The initiative of getting such a committee to work is something that requires sponsorship from senior management and eventually board members but if security professionals are not willing to take up the task in transforming their reporting into comprehensible language it will be impossible to get information security on the agenda. Implementation of information security Integrating or implementing information security across the organisation demands rigor and focus since information technology and thus security issues arise at high velocity. The pace of change is an aspect one has to take into account in order to follow up with the latest technology, compliance and regulation. There is no doubt that the actual integration of the controls occurs at the operational levels of a company, though it is the responsibility of the executive management to ensure that sufficient resources and budgets are available and that the priorities are respected as defined by that same management. Regarding the budgets a PriceWaterhouseCoopers(2014) survey revealed that only 8%of the IT budget is spent on security when we look into the IT aspect of information security. About 20% of those same respondents say they only spend about 1% of the total budget on information security. To make matters worse, 80% of those respondents from large
  • 40. 40 organisation claim not to evaluate the return on investment on their security expenditure according to PriceWaterhouseCoopers(2012). About 80% of the same respondents claim that their security spending is aligned with their current business requirements,finds PriceWaterhouseCoopers(2012). When looking at a study from Deloitte(2012), it shows that 44% of their respondents said that budgets (2010-2011) stayed the same, and 34% claimed the budgets decreased. Prudence though is required when analysing the results as studies show that information security budgets are often times only a fraction of what spend on security across the entire enterprise. Today most companies apply such a federated model, about 56% of the respondents claim. 74% of CISO respondents have executive commitment—but that has not translated into adequate funding in the majority of cases. Information security does not only require an adequate budget, it relies on people with the right skillset. These are not readily available and more over the security technologies are rapidly changing requiring people to adapt and training on a continuous basis. Blocking is not the answer. In many studies it is clear that companies are adapting to new ways of conducting business but often times it seems that they way to adapt is to 0% 10% 20% 30% 40% 50% 60% Policy adjustments Increased security awareness activities Encryption techniques New mobile device management software Allow the use of company-owned devices, but disallow use of… Governance process to manage the use of mobile applications Architectural changes Figure 18, Which of the following controls have you implemented to mitigate the new or increased risks related to the use of mobile computing including tablets and smartphones? Ernst & Young, 2012
  • 41. 41 block. When looking at social media 45% of the companies said blocking social media in cooperation with adjusting the policy, according to the study from E&Y(2012) And with the rise of BYOD we can see a similar attitude, 52% is considering blocking access are allowing it in a very limited fashion. The way to mitigate new risks such as smartphones and tablets looks focussed on the formal approach and less on the technical implications such technology has. Could this mean that companies are willing to accept the risk, are tired of using technology as a solution or perhaps lack of funding? Monitoring and assessments Executive management should monitor that the framework and its corresponding controls are working effectively, that security breaches are contained, and incident response is working correctly and that the company is in compliance with regulatory bodies. In practice we see that 82% of the CSO/CISO are responsible for measuring and reporting cyber security however only 8% of these same respondents currently measuring the value and effectiveness of their enterprise cyber security organization’s 0% 10% 20% 30% 40% 50% Measuring trend in security incidents/costs Benchmarking against other organisations Return on investment (ROI) calculation Measuring Staff awareness Monitoring level of regulatory compliance Other formalised processes Do not formally evaluate Small Large Figure 19, How many respondents measure the effectiveness of their security expenditure? PriceWaterhouseCoopers, Information security breaches survey, 2012
  • 42. 42 activities says Deloitte(2012). Figure 5 shows that only 48% of the respondents monitor and evaluate security incidents and events, though more than 60% do internal audit assessments and self-assessments by IT or information security. Top performing companies in regards to information security use the top 4 approaches in order to evaluate and monitor their information security practices in the organisation, according toE&Y(2012). Awareness and communication It is important to make a clear distinction between awareness and training. Awareness is typically defining the "what", in order to influence the general behaviour of your targeted audience. It prepares people to put things in perspective and open their eyes for aspects they generally would not think about. Training however goes deeper into the details, for example the technical details on how a virus or a control technique works. Training takes more into consideration the “how” part and is mostly established for a specific audience or target group. However security awareness remains one of the underfunded, most overlooked mechanisms for improving your information security programme, says Rebecca Herold (2005). Have you've ever had any security training? ESET, a popular anti-virus vendor asked this question whilst studying the implications of the bring-your-own-device strategy emerging in the corporate environment. The defined target audience are U.S. adults employed at the time of the survey. The level of training received appears rather low compared to the importance added on the subject by the top management. Only 32% of employees say to have received training when taking up their new job according to a survey performed by Cisco(2008). 32% 68% Yes No Figure 20, Have you ever had a any security training ESET survey 2012
  • 43. 43 A PriceWaterhouseCoopers (The global state of Internet Security Survey 2014) study remarks that 21% of their respondents have a policy on security awareness training and about 59% of those same respondents have a senior executive communicating on the importance of information security. Cisco and ESET seem to draw up a similar result, and the PriceWaterhouseCoopers(2014) survey shows that the policy itself does not guarantee the execution of the task. A consensus between board members and executives can be found in the approach on how to communicate on information security. As shown in Table 1, a security awareness campaign is considered the best way to share information security knowledge across an organisation. All groups set the same criteria in regards to communication of information security. At first it is a positive trend that awareness and security policies are receiving the same level of attention from the top to bottom in an organisation though there is some kind of knowing and doing gap. Everyone knows about the importance though as other surveys show, the level of doing is relatively low when it comes down to awareness campaigns. Board Executives Overall 1 Security awareness campaign Security awareness campaign Security awareness campaign 2 Formal security policies Formal security policies Formal security policies 3 Email Official statements/reports Official statements/reports 4 Official statements/reports Email Intranet 5 Intranet Intranet Email Each respondent has the choice of 5 answers and was asked to put them in order of importance where 1 was the most and 5 the least important. All proposed answers were shown in random order. Table 1, What is the best way to share security knowledge (policy, incident management, control procedures, etc…)? Survey Koen Maris 2013
  • 44. 44 While many agree and talk about the subject only few put the importance of it into practice. Ernst & Young(2012) performed a survey that indicates that only 9% of the companies see security awareness as a priority in the next 12 months. Any security awareness programme should be a continuous effort, it is like we experience in our daily lives. We have to be reminded continuously about the dangers when moving in traffic whether we're a pedestrian, using a bicycle or a car. Every year around the Christmas holidays we are kindly reminded about the dangers of driving and drinking. There is no surprise in there that this is a deadly cocktail and even though we've done a training program on during our induction, our driver's license, into traffic we tend to forget this. It is no different with information security, the same techniques are used or reused over and over again and still we are prone to these attacks. Hence the importance on a recurrent approach, repetition is king. 0% 20% 40% 60% 80% 100% Large organisations Small organisations 62% 46% 27% 31% Induction only Ongoing Figure 21, How do respondents ensure staff are aware of security threats? PriceWaterhouseCoopers, Information Security breaches survey, 2012
  • 45. 45 According to a Tripwire-Ponemon(2013) study the reporting line from bottom to top is not working properly , in about 60 percent of the cases reporting is not happening or only when a severe security risk is revealed. A more serious issue is that negative facts are filtered before disclosed to senior management. This dramatically limits the opportunity for effective communication and reduces the organization’s visibility into the urgency of security issues, according to the Tripwire-Ponemon(2013) report. About 12% of the UK respondents in the Tripwire-Ponemon(2013) say that senior executives are not interested, this is extremely worrying given the high volume of cyber security issues in the media and perhaps it show more the lack of communication capabilities of some of the security professionals. 0% 10% 20% 30% 40% 50% 60% 70% Communications are contained in only one department or line of business The information is too technical to be understand by non-technical management Communications occur at too low a level Negative facts are filtered before being disclosed to senior executives and the CEO We only communicate with senior executives when there is an actual incident It takes too much time and resources to prepare reports to senior executives The information can be ambiguous, which may lead to poor decisions Senior executives are not interested in this information Other Figure 22,Why communication with senior executives is not considered effective? Tripwire-Ponemon, The state of risk based security, 2013
  • 46. 46 Conclusion Which level of information security governance “awareness” is present at the level of Board of Directors and executive management in a contemporary enterprise? In many cases board members and executive management are progressing on the path to information security governance and many surveys that explore this path indicate that there is a decent level of awareness present. A positive indicator is that a number of practices at the board and on management level are following a positive trend. At the same time it also shows that being aware about an issue does not guarantee that the issue is addressed accordingly. If there is a general point that requires attention it must be communication, from top to bottom and vice versa. It seems that the board and their members are looking at information security as an important part of conducting business today but they aren't getting the required information in order to do so. This is confirmed by the fact that the executive management is not very well in the bottom-up reporting. The information is filtered and done at best when a severe incident occurred which is by far the best way to start a constructive discussion on the information security. Secondly it might be worth having an independent committee to take the decisions, prepare the reports and provide the required feedback for the executive management and the board members to have full transparency on information security incidents, projects etc… Such a communication channel might open the path to have executive management develop a clear information security governance strategy aligned with the overall enterprise strategy and have it approved by the board to get the required sponsorship.
  • 47. 47 Board members Which practices (structures, procedures) have been identified? There have been a number of practices identified specifically related towards the board and its members. The following practices have been identified:  Leadership, strategy and value  Measurement, audit and monitoring  Risk management  Identify security leaders To what extent are these practices considered effective? Measuring effectiveness of those practices is not always an easy goal to achieve. But companies and more specific board members are well aware about managing risk and the effectiveness can be deducted from the fact that the majority is aware about the risk appetite set in their company. It was unclear if a company having thoughtful leadership and enterprise risk management in place also had identified a security leader. Many companies have a security leader, whether it is a Chief Risk Officer or any other information security related function. But whether this is due to legal and compliance or because of good leadership and high awareness remains unclear. The audit and monitoring parts are well in place but the degree of effectiveness can be doubtful especially due to the fact that only half of the companies have strict separation between the risk and audit committees. Which practices are well adopted in today's enterprise? The practices regarding leadership, alignment and value are the least adopted, all the others have a fairly well adopted and have a positive trend for improvement. When it comes down to leadership, most boards are still neglecting information security. This could explain the fact
  • 48. 48 that business and information security are not well aligned and there is little or no value creation for business when looking at information security. As an ultimate excuse the technical complexity is used to justify this neglect.  What are the main drivers for implementing these practices? In many cases the drivers are still legal and compliance related issues that drive for more information security. A severe incident also triggers the attention of board members, whether this is because of legal consequence of financial interest is unclear. In either case it remains an ad-hoc modus operandi which is not a sustainable approach to address information security. Executive management Which practices (structures, procedures) have been identified? Identifying the practices for the executive management regarding information security provide more tangible results compared to those of the board members. The following practices have been identified:  Information Security Framework  Chief Security Officer/Chief Information Security Officer  Information Security Steering Committee  Implementation of information security  Monitoring and assessment  Awareness and communication To what extent are these practices considered effective? The majority of companies today have a security framework/policy in place and the majority of the people say they know about it. Though this says little about the level of understanding regarding the policy and there the answers show an opposite direction. In most companies of a
  • 49. 49 reasonable size there is a Security Officer. The effectiveness of such a role is heavily dependent on the reporting line this person has and in some cases this is creating a problem since the bottom up reporting does not occur at all or is biased. The steering committee is only gaining ground slowly and it remains difficult to judge the effectiveness. When such a committee is well integrated in a company it could be an ideal leverage to address issues to management and board and it could improve the reporting line. Implementing security is done to some extent; it is no secret that budgets are under pressure in these difficult economic circumstances of today. The fact that only a small number of companies is evaluating the return on investment on security spending could be a reason that security budgets stay low. Having the support of your senior management is not the only factor required to get adequate funding. At the same time this attitude is shown in the monitoring part. Only less than 10% of the security officers say that they effectively measure and evaluate the effectiveness of their controls and funding. Though there is a better level of monitoring when it comes down to the monitoring of incidents and audit and self-assessment. Which practices are well adopted in today's enterprise? The two least adopted practices are the information security steering committee and awareness. Regarding information security awareness, companies are conscious about the importance but there is still a big gap between what they know and what they are effectively doing. However there is positive trend and companies are recognising the value of spending money and resources for awareness purposes. The steering committee is less adopted but it is gaining ground.
  • 50. 50 What are the main drivers for implementing these practices? Legal and compliance remain a big motivator for implementing information security, the interest from the senior levels of companies are relatively low since it remains a complex and high technological subject. The fact that information security is put on agenda's whenever there is a severe incident is not helping; this is a negative situation which makes it extremely difficult to put information security into a positive light. Due to this and the fact that reporting is often not done in a correct fashion, facts are changed, severity is lowered or reporting does not occur at all are all factors that make it virtually impossible to get information security on the agenda of the decision makers. End note The research revealed some aspects though a lot of questions remain open especially on the effectiveness side. Many aspects are not measured for effectiveness and the links between the structures and procedures and how the influence each other are not well researched. An interesting point would be to see if companies with good Enterprise Risk Management have also good information security governance. And if one has a good reporting line from bottom to top if that would improve the strategy and give also a better top-down communication.
  • 51. 51 Table of Figures Figure 1, Does your board regularly, occasionally, rarely or never complete the following actions? Jody R. Westby, 2012 ........................................................................................................................................................ 18 Figure 2, How important is each type of experience when recruiting new directors? Jody R. Westby governance of Enterprise security............................................................................................................................................. 20 Figure 3, Does your function meets the organisational requirements? EY, Fighting to close the gap, 2012 ........ 23 Figure 4, Organizational involvement in aligning risk-based security management with business objectives Tripwire,2013 ........................................................................................................................................................ 24 Figure 5, How does your organisation assess the efficiency and effectiveness of information security? EY, Fighting to close the gap, 2012............................................................................................................................. 25 Figure 7, Subject actively addressed by the board Jody R. Westby, 2012 ............................................................. 26 Figure 6, Seperate risk committee and audit committee Jody R. Westby, 2012 ................................................... 26 Figure 8, I know the acceptable risk level in my daily duties. (You know the acceptable risk level you're allowed to take during your daily tasks.) Koen Maris, 2013............................................................................................... 27 Figure 9,Enterprise Risk Management program/structure in place Jody R. Westby, 2012................................... 27 Figure 10, Key role risk/security function in place Jody R. Westby governance of Enterprise security ................ 29 Figure 11,Greatest obstacles to improving information security PriceWaterhouseCoopers, Global internet security survey 2014.............................................................................................................................................. 31 Figure 12, Reasons for not collaborating on information security PriceWaterhouseCoopers, 2013..................... 32 Figure 13, I know the security policy of my company? Koen Maris, 2013............................................................. 33 Figure 14,How many respondents have a formally documented information security policy? PriceWaterhouseCoopers, Information security breaches survey 2012................................................................ 33 Figure 15, , Any company should have an information security responsible? Koen Maris, 2013 ......................... 35 Figure 16, To whom does your CSO/CISO report? Jody R. Westby, 2012.............................................................. 35 Figure 17, Risk/Security committee are less rare Jody R. Westby, 2012 ............................................................... 38 Figure 18, Which of the following controls have you implemented to mitigate the new or increased risks related to the use of mobile computing including tablets and smartphones? Ernst & Young, 2012................................. 40
  • 52. 52 Figure 19, How many respondents measure the effectiveness of their security expenditure? PriceWaterhouseCoopers, Information security breaches survey, 2012............................................................... 41 Figure 20, Have you ever had a any security training ESET survey 2012 .............................................................. 42 Figure 21, How do respondents ensure staff are aware of security threats? PriceWaterhouseCoopers, Information Security breaches survey, 2012 ......................................................................................................... 44 Figure 22,Why communication with senior executives is not considered effective? Tripwire-Ponemon, The state of risk based security, 2013................................................................................................................................... 45
  • 53. 53 Bibliography Allen, J. H. (2007). Governing for Enterprise Security. Carnegie Mellon Cylab, CERT. CISCO. (2008). The Effectiveness of Security. Deloitte. (2011). Global risk management survey, 7th edition. Dutra, A. (2012). A more effective board of directors. Harvard Business Review, 2. Ernst & Young. (2012). Risk-appetite : the strategic balancing act. Retrieved from www.ey.com. European Audit Committee Leadership Network. (2012). Strategy, risk appetite at the board. Viewpoints. Harris, S. (2003). CISSP all in one guide second edition. ISACA. (2006). Information Security Governance: Guidance for boards of directors and executive management. ISACA. ISACA. (2010). Business Model for Information Security. ISACA. ISACA. (2012). COBIT 5. ISACA. (n.d.). COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. Retrieved from ISACA: http://www.isaca.org/COBIT/Pages/default.aspx?cid=1003566&Appeal=PR NIST. (2006). Information Security handbook: A guide for managers. Special publication 800-100. Porter, M. (1985). Competitative advantage.
  • 54. 54 PriceWaterhouseCoopers. (2012). Information Security Breaches Survey Technical Report. PWC. PriceWaterhouseCoopers. (2013). The Global State of Information Security Survey. Royal institute of technology. (2011). Assessing Future Value of Investments in Security- Related IT Governance Control Objectives. Slater, D. (2009). What is a CSO. Retrieved from CSOonline: http://www.csoonline.com/article/2124612/it-careers/what-is-a-cso--part-2.html Solms, S. v. (2008). Information security governance. Springer. Stanford Graduate School of Business. (2011). Board of Directors: Duties & Liabilities. Steven De Haes, Ph.D. and Wim Van Grembergen, Ph.D. (2008). Practices in IT Governance and Business/IT Alignment. ISACA journal, 6. Tom Scholtz. (2003). The role of corporate information security steering committee. Retrieved from SCmagazine: http://www.scmagazine.com/the-role-of-the-corporate- information-security-steering-committee/article/30595/ Tonello, M. (2008). Corporate Governance Handbook: Legal standards and board practices 3rd edition. The conference board. Tripwire-Ponemon. (2013). The state of risk based security. University, C. M. (2012). Governance of Enterprise Security: Cylab 2012 Report. Westby, J. R. (2012). Governance of Enterprise Security. Carnegie Mellon University Cylab. Retrieved from CyLab Survey Reveals Gap in Board Governance of Cyber Security: https://www.cylab.cmu.edu/news_events/news/2008/governance.html
  • 55. 55 Wikipedia. (2013). NIST Special Publication 800-53. Retrieved from Wikipedia: http://en.wikipedia.org/wiki/NIST_Special_Publication_800-53 Wikipedia. (2014). ISO/IEC 27000-series. Retrieved from Wikipedia: http://en.wikipedia.org/wiki/ISO/IEC_27000-series