[BreachExchange] Why Infosec Compliance Governance Should Be a Top Priority for CISOs

[Destry Winant]

https://securityboulevard.com/2020/12/why-infosec-compliance-governance-should-be-a-top-priority-for-cisos/

The job of a CISO can encompass a lot of competing priorities and
require a delicate balancing act. But there is one area that commonly
doesn’t get the attention it deserves: infosec compliance governance.
This area of a CISO’s responsibilities deserves more attention than
many give it, and it often encompasses more than some CISOs realize.

Why do we need to emphasize focusing on one area of our Cybersecurity
than another area? It is mostly a matter of prioritization. We, as
CISOs, know all about prioritization efforts and prioritize tasks that
have a big impact on the business’s needs and cybersecurity areas that
are most critical to our organization’s success. Ultimately, how well
we manage the task of creating an efficient cybersecurity program is
directly related to our organization’s success. Typically, these
common factors are well known and understood within most
organizations. What is not always well known is the need to focus on
infosec compliance governance as a top priority and the benefits of
doing so.

Making the Case for a Focus on Compliance

If you are setting your priorities based on what is going to result in
a high return on security budget spending, compliance may not be the
first thing you think of. Considering your priorities this way will
undoubtedly lead to the conclusion that Infosec Compliance Governance
viewed against direct impact correlation is rarely matched, especially
if you look at the per-occurrence rate for information and data loss
due to unauthorized access or an information systems breach.  But
monetary ROI is not the lense CISOs should view their priorities
through.

When you instead consider what will have the biggest impact on your
organization and what will ultimately help you create the most secure
environment you can, it is easier to see why a focus on compliance is
so critical. More specifically, the infosec compliance governance
within our cybersecurity programs that we develop for our organization
deserves a lot of our time and energy. Many areas are given high
consideration for prioritization, but often, compliance can be
overlooked and not treated as the top-five priority that it is.

How a Focus on Compliance Impacts the Rest of a CISO’s Responsibilities

Fortunately for busy CISOs, many of our responsibilities benefit from
a focus on infosec compliance. For example, access control and
identity management may take precedence in many CISOs minds as more
people are beginning to work from home during the COVID-19 pandemic.
And while these items are definitely important focus areas for a CISO,
successful access control and identity management is typically part of
a  well-planned and well-developed compliance program. After all, the
ultimate goal is to protect our organization’s information, right?

Infosec and compliance are oftentimes closely related. If we take the
process validation and framework implementation of compliance and pair
that with the concepts and guidelines of protecting and securing our
organizational information, we get infosec compliance.

To direct that Infosec Compliance, we need to understand how we do it
and the best way to ensure it within our Organization’s Cybersecurity
program. We typically define those methods through well developed and
well thought out policies; policies that are very detailed and
descriptive in nature. If we take the policy concept and apply it to
Infosec Compliance, we essentially get the idea of Infosec Compliance
Governance.

Ultimately, we must manage our organization’s sensitive information
with well developed defined protection mechanisms, which a focus on
compliance provides a sturdy framework for.

What Does a Focus on Compliance Look Like?

The essential parts of an infosec program involves identifying and
certifying the systems within our organization that process, store,
and transport the different types of data we store and have access to.
Then, the appropriate security controls can be developed for these
systems that meet  regulatory compliance requirements. Focusing on
compliance simply gives a CISO a true north and a way to better
organize infosec efforts.

While compliance implementation remains consistent throughout a
system’s lifecycle, the regulations or even the guidelines that govern
data can change at a more inconsistent rate. For instance,
cybersecurity requirements and their governing controls can change
their guidance more or less often depending on the issuing body (e.g.,
NIST, ISO, etc.).

CISOs must have a full understanding of the various types of data that
an organization has access to and delivers to employees or customers.
There needs to be very deliberate and stringent control over these
classifying and tracking systems, their data storage and processing
classification needs, and the specific requirement variations between
different data’s sensitivity levels. InfoSec defines the methodology
for implementing data and information protection.

Compliance creates the ability to map systems to a framework for
regulatory certification. Governance allows a defined, repeatable
process for assuring asset tracking, data tracking, and compliance
matching for infosec needs within an organization.

When we consider all that goes into infosec compliance governance, we
have to remember that as CISOs, we are ultimately responsible for the
success or failure of this program. As such, we have to know what
policy is needed, how often must we update the policy, and how we
disseminate changes and updates to meet certification and attestation
timeframes for our systems. Essential to this development is the level
and degree of our understanding of our organization’s business
strategy as a whole. If we don’t understand that, we can’t understand
how to apply the policies appropriately, decide on the correct
compliance frameworks, and, more importantly, figure out what specific
cybersecurity controls must be in place for the information we must
ultimately protect. We know why these things are all critical.
However, we should describe it purposefully.

We relate all these things, understanding the business strategy and
applying it to our Infosec Compliance Governance, for one Key reason:
Risk Management.

The Importance of Risk Management

Cybersecurity at a fundamental level is about the management of
security risk. When applied appropriately, some simple things are
derived from a focus on infosec compliance governance within our
organization: We are able to map our compliance framework directly to
the systems being used to process, store, and transport our
organization’s information. Protection of that information requires us
to define the right data classifications and the specific control
requirements per infosec guidance. We need to develop and provide
clear policy guidance directing how implementation and management will
occur to protect the systems and their information. Finally, we need
to know what the impact of a loss, a breach, or an unauthorized
disclosure of the information is.

So what is the security risk if we don’t apply appropriate and
deliberate infosec compliance governance?  We run the risk of failing
to create risk management and infosec security processes that are
deliberate, specific, repeatable, and well understood by everyone who
interacts with sensitive information.  We fail those responsible for
implementation, certification, validation, and attestation of our
protection levels for our organization’s information based on its risk
tolerance.

How do we remediate weaknesses in Compliance requirements for Infosec?
That can only be done when we truly understand the risks, their impact
on the business, and how security fits into our organization’s overall
business strategy. We can also use that overall business strategy to
directly shape and support the infosec compliance governance choices
for our cybersecurity program as a whole. How and what you prioritize
directly impacts your success or failure. Infosec objectives need
deliberate order of action to ensure the impacts on your program are
clearly understood and recognized.

Why it’s Important for CISOs to Push a Compliance Focus

CISOs must develop and drive cybersecurity practices from the top
down. They hold the ultimate responsibility to ensure an overarching,
comprehensive security strategy. Unfortunately, not every organization
is willing to adopt a CISO’s strategies that require a large
investment of time or money. To overcome this, CISO’s must prioritize
those programs that have the most significant impact and will directly
reflect favorable investment returns for their organization.

The CISO mandate is not protecting information at all costs, but
protecting information with the resources they’re given. These
budget-related costs are usually driven by company executives and the
Board of Directors.

The CISO’s security implementation strategy and guidance input within
any organization can account for nearly 90% of the organization’s
overall business strategy. If we consider and understand what
processes and programs can have the greatest impact throughout the
organization, it would not be a stretch to list infosec compliance
governance as one of the top five programs necessary to meet that
need.

Few cybersecurity programs touch more systems or have a bigger impact
on the business and security strategies than your infosec compliance
governance program. Few have such a significant direct correlation to
identifying and understanding the risk facing your information systems
and the data they house, process, and transport. Remember that three
significant functions are combined to develop the Infosec Compliance
governance program: First, compliance directly informs risk. Second,
governance directly dictates policy writing. Third, infosec is, by
definition, the key to security.

We mentioned at the top of this article that the CISOs ultimate job is
to ensure the protection of an organization’s internal data, customer
data, and any other sensitive information deemed critical to the
organization. What better way to meet that core job function than by
prioritizing the development and implementation of an infosec
compliance governance program?

One could make several arguments for where the program should fall on
the overall list of required security strategy, implementation, and
development initiatives. However, I would challenge those arguing a
lower priority to provide a reasonable argument for it not falling in
the top five of your top 10 priorities on a CISO’s list of
cybersecurity programs. I will even go one step further and say, if
you personally view it as a lower priority, take a closer look at the
programs ranked above it and determine whether those programs could
fall under the overarching arms of infosec compliance governance; you
might be surprised at what you find.