Documentation
Support
In this article
Invest in risk management, trust decision makersWhat does good security governance look like?Delegating decision makingDealing with complexity and uncertaintyDeveloping an effective culture and environmentCommunicating risk management information
Home
General
A1 Framework Section References

Security governance and business objectives

Edited

Standard approaches to security and risk management are sometimes misinterpreted. Whilst being a useful starting point, the establishment of predetermined security risk management structures, business processes, roles and requirements are too often separated from the normal decision making structures and processes used elsewhere in the business. This separation can lead to uncertainty, delays and confusion in the technology decision making process.

Prioritizing compliance with or adherence to predefined security governance structures over finding ways to make effective risk management decisions that fit the business can lead to a false sense of control and therefore a false sense of security. That is not to say that governance activity is a bad thing. When done well, it significantly contributes to effective risk management, and therefore the security of the organization.

Invest in risk management, trust decision makers

Governing how risks to technology systems are managed should be no different to the way organizations govern other business activities. The term governance implies that an organization actively exercises control over the risks it faces and provides direction for the security of its business. Effective security governance requires that organizations invest in risk management resources and trust decision makers, so that it has the right people, structures and processes in place. This enables sensible risk management decision making in pursuit of the organizations business goals and objectives.

What does good security governance look like?

There is no 'one size fits all' approach to governance that can work for every organization. Organizations should establish the security risk management roles and decision making processes that work for them (remembering that some organizations may have to comply with mandated requirements).

Irrespective of any predetermined structures or processes, a good approach to the governance of risk management across an organization is more likely when:

  • the organization business goals and priorities are clear

  • the assets that the organization cares about (or values in terms of achieving its business goals) are clearly identified

  • the organization puts in place the resources needed to make risk management effective

  • the organization understands that for security to be effective, it must be part of 'business as usual'

  • the organization identifies who is responsible (and accountable) for the security of the technology systems

  • the risks that the organization will (and will not) take in pursuit of its business goals are clear

  • the organization identifies who is responsible (and accountable) for making security decisions about technology systems

  • the organization knows how to acquire the information needed to inform these security decisions

  • the organization identifies who is responsible (and accountable) for the ongoing security of the technology systems throughout the whole system life cycle

When organizations are deciding what governance approach is right for them, it may also be helpful to consider:

  • How will the organization manage technology-related security risks in different business, technology, and decision making contexts?

  • What external requirements are relevant when managing technology-related security risks (e.g. legal, regulatory or sector specific)?

  • What business processes are necessary to support the making of security risk management decisions?

  • What information and documentation is necessary to enable decision makers to make timely, informed and objective security risk management decisions?

  • How will the organization ensure that those responsible for managing risks (and making risk management decisions) have the right business and security skills, knowledge and training?

  • How will the organization provide confidence that its approach to managing risk is effective, and that the systems it uses for business are secure enough to meet its needs?

  • How will the organization ensure traceability and accountability for risk management decisions and actions?

  • How will the organization make continuous improvements to the way it manages security risks?

Delegating decision making

Effective cyber security risk management is built on sensible decision making. However, senior management within an organization do not need to make all risk management decisions. Risk management decision making can take place at all levels within an organization, and be delegated to those people who are best placed to understand the problem. Decision makers should have the right security, business and technical knowledge (together with the skills and experience) to enable them to make effective and timely risk management decisions in different business contexts.

To make security risk management effective, it is important to establish clear lines of communication between those that are responsible and accountable for the security of an organization, and those who are empowered to make risk management decisions on their behalf. Where decision making is delegated, the scope of that delegation must be clear. That is, they should understand when decisions need to be escalated for more senior attention within the business.

Dealing with complexity and uncertainty

The technology systems used to deliver modern business capabilities can be considered as complex 'socio-technical' systems with interaction between technology, people and organizations. This complexity means that there are times when the causes and effects of security risks can be known and can be managed, and times when they cannot.

Uncertainty in risk management is unavoidable because the information needed by decision makers and practitioners to inform security decisions may not be available, is not known, or is arrived at subjectively. This uncertainty is exacerbated by:

  • the biases of those involved in risk analysis, assessment and decision making processes

  • limitations in methods and tools, and in the way they are used

This complexity and uncertainty does not mean that there is nothing organizations can do to manage security risks. Rather, those responsible for making risk decisions need to:

  • understand the limitations of the tools they are using

  • understand that there are contexts when risks can be managed through the implementation of predefined security controls and approaches, and contexts when they cannot

  • adopt different strategies for making sensible security risk management decisions in different contexts

Developing an effective culture and environment

An effective security culture and environment will also help organizations deal with this complexity and risk management uncertainty. An appropriate security culture and environment can be encouraged by:

  • ensuring that everyone involved in security risk management decisions understands that achieving the objectives and maintaining the priorities of the business are more important than compliance with generic predetermined checklists

  • employing people who have the cyber security, business & risk management skills, and the knowledge & expertise needed to make and enable effective decisions

  • trusting and empowering those people to make risk management decisions

  • minimizing the procedural and documentary workload to only that which is absolutely necessary to enable timely and effective decision making

  • 'baking' risk management into 'business as usual', so it is viewed as a continuous activity that is consistent with the way other risks are managed (rather than a one-off action)

  • making it easy for those responsible for making risk management decisions to have access to (and understand) the information they require

  • reducing opportunities for that information to be misinterpreted, diminished or elaborated in any way that introduces uncertainty and bias

  • accepting that technology and security risks will be realized and understanding what the organization will do to minimize damage, continue to operate, and make improvements based on lessons learned

  • ensuring that communication between:
    a) those accountable for security
    b) those responsible for making risk management decisions
    c) those responsible for carrying out risk management activities
    - is clear and meaningful so that information can be correctly and effectively acted upon.

Communicating risk management information

The effective communication of risk management information helps organizations to direct and control risk management activities. For this communication to be effective, organizations must establish internal and external channels to communicate with staff, business partners and customers. Communication within an organization is most effective when it flows amongst the right levels of an organization; top-down, bottom-up and laterally:

  • top-down communication provides corporate direction and business objectives to decision makers

  • bottom-up and lateral communication provides detailed technical, non-technical and security information to inform risk management decisions

When communicating internally, this information should as a minimum include:

  • business objectives, priorities and risk management direction

  • what the organization cares about and why

  • what risks the organization will (and won't) take

  • who is responsible and accountable for making risk management decisions

When communicating externally with third parties, this information should as a minimum include:

  • The risk management and decision making context

  • What needs to be protected and why?

  • If the security of the protected assets is reliant on another party, then what does the organization expect that party to do to protect it? (e.g. security procedures or security requirements in contracts)

  • Where a third party is providing security for something the organization cares about, how will the organization gain confidence that the third party is delivering security as expected?

To communicate risk management information in a clear and meaningful way, organizations should use plain English and commonly known business, technology and security terminology. Using bespoke risk management language or specialist terms should be avoided.

It is often assumed that because organizations use a common risk assessment (or risk management) method, they will be able to use the risk information generated (such as risk numbers, risk levels and impact levels) as a short-hand to convey information to risk management decision makers and business partners. Without work to agree the meaning of risk management information, this assumption is incorrect. People and organizations will interpret or misinterpret risk related information based on their individual and group biases, their experience, knowledge and priorities. This is especially true if the risk management information is provided without meaning, explanation or context.

As with any other relationship, trust between parties is built upon good communication that enables each to understand what the others value, and to agree the specific meaning of risk management information and risk assessment output. This understanding will enable organizations to trust risk management information provided to them by others, and to use technology systems and services with confidence.