Good Governance is one of the key factors of CyberSecurity

According to Cisco, there are 20 billion cyber attacks every day. Which is very scary statistics. The number of cyber attacks has recently increased and it will keep going up in upcoming years. There is a lot of activity in every company nowadays which concentrates on how to achieve a tighter information security.  Leaderships have the same headache:  how to assure that the information is more secure and less prone to cyber attacks, and the attention is usually turned to a search for a better software that will keep the infrastructure securely closed so nobody can break into it – and of course, don’t get me wrong –  that’s important! But… Why breaking into it when you can just come through an open door? Yes, there are open doors in the environments. Being an SME in IT I’ve seen a lot of them. In many cases, it happens due to a lack of governance. So here is a hint for you guys: start looking at your governance. A cyber attack can come not only by commonly known ways but also through things that you wouldn’t even think of: forgotten and unpatched server, improper in-house software deployment, not timely removed access, not even mentioning improperly stored information.

Well, the good news is that you have the power to fix these issues.

There cannot be a solid information and system security without a good implemented governance.

First of all: what is governance? Governance it is a set of rules and policies applicable to corporate (including IT) processes to achieve better functioning company, better results in security and at the end better revenues. (That’s very general and not exciting at all 🙂 but…)

Can you go by without it or not paying too much attention to it? Well, many companies do but here is an interesting part: in this case, you are creating a lot of vulnerabilities including security ones and eventually you’ll end up spending your hard-earned money on fixing things instead of growing and that is not the place where any business wants to be. So the answer is “yes” but do you want to? 🙂

Actually, a good Information Security Governance is one of the best investments you can make.

So how can you deflect this threat with a good governance?

Let me start with the point that corporate environment is not a static thing. It is a constantly evolving entity. So in order to have a good cybersecurity in place you have to have a very flexible, responsive governance processes and I would like to emphasize on the fact that it has to be IMPLEMENTED governance and not just a set of policies that are used when you feel like, or written and forgotten…

Here are just several important topics that are components of a good governance. They need to be addressed in order to keep information and cybersecurity up to date.  Clear policies and their following are essential parts:

  1. Centralize your governance!
  2. Is there any accountability in your governance?
  3. Classify your information: Determine clearly which information is proprietary or just sensitive
  4. How should you store, move and destroy sensitive information?
  5. How do your employees / partners access sensitive information? (Employees / Partners access controls)
  6. How do users are trained to handle your sensitive information?
  7. How do you train users to recognize a cyber attack?
  8. How IT personal accesses the infrastructure? (IT access control levels)
  9. What are your passwords policies? How do you store them? How do you change them?
  10. How do you deal with testing and service accounts?
  11. What are the patching / upgrading policies?
  12. What’s the risk mitigation steps in each deployment?
  13. How do you monitor your IT environment?
  14. How do you address IT incidents?
  15. Do you have Change Controls in place?
  16. Are IT Processes well documented?
  17. Is the code deployed peer-reviewed?
  18. Do you have a DR plan?
  19. What are your industry regulations and how your company should comply with them?
  20. Do you have disenrollment policies for IT area in place? (when a user is not with the company anymore how fast his access is removed from all areas?)
  21. + much more
  22. … And the main and most important question: If you do have those policies – are they really being followed?

Those items are just examples. There is much, much more to it. Every topic has many underlying subtopics that can lead in different directions, to many additional areas that need to be taken care of. It can be very multi-dimensional.

Here is what I mean: For example “Patching Cycle” item can lead to these questions:

  • Are all servers on the schedule or there are some orphan servers that were built for testing and then forgotten?
  • Are those orphans being patched?

That brings us to the  “Inventory” item which we need to add to this list and create a  policy for.

Here is another item that comes out of the “Patching Cycle” item:

With the separation of Production and Non-Production environments, we need an additional policy for Non-Prod environment. Another separate policy.

So if you start digging – it can be plenty but it needs to be done. In many companies, many of those topics are covered, but sometimes there is no clear policy written or clear understanding how things should be handled or the employees are aware of some policies but they simply don’t follow them. Sometimes the governance is very spotty and decentralized. So all that can create “open doors” in your company.

Here are additional “how”-s to help with the information security governance:

  • Create a governance committee which will regularly review technologies that you are using, existing processes, current incidents and figure out a better defense. Also, give a thought to the areas where the attack can come from, how can the attackers use the system, what information they might be after and what needs to be changed in your current system to better protect the valuable assets.
  • Review your technology regularly and see if some governance processes don’t fit anymore or you need additional processes developed so things will go smoothly.
  • Look at your potential domains of vulnerability and see what you can do better to shield your company, your customers and your partners from the potential losses and problems. There are several areas of vulnerabilities that impact information security: People, Technology, and Processes. In many cases, you’ll find governance flows in every one of them.
  • Assess what technology (security tools) you have now and think if it is enough for your system protection. Keep an eye open for new advanced tools. However: keep in mind that when you add anything new  – most likely you’ll add another layer of complexity. Keep things under control: well documented and understandable.

Of course, there should be just enough rules and policies to let the business moving, but at the end of the day – it’s better to be a bit slower than you end up in a pitfall which will throw you back much further. Good governance is a key! 🙂