In this post, we’ll take a high-level pass at Cybersecurity’s Govern responsibility. Merriam-Webster dictionary includes many definitions for the word govern. In the context of Cybersecurity, the definitions are “to control, direct, or strongly influence the actions and conduct of” and “to exert a determining or guiding influence in or over.” Remembering that Cybersecurity’s key role is more about enabling the business than stopping it is crucial. This is difficult for even the most senior and seasoned professionals, especially when the business makes a decision that appears to fly in the face of advice.
In truth, the role of cybersecurity in an organization is to enable the functions of the business and its systems while ensuring proper and adequate security.
Cybersecurity Functions (Part 1) – Cyber Muster
As NIST prepares the release of The NIST Cybersecurity Framework 2.0, I will borrow from the definition of Govern, which provides a concise statement of the function. “Govern directs an understanding of organizational context; the establishment of cybersecurity strategy and cybersecurity supply chain risk management; roles, responsibilities, and authorities; policies, processes, and procedures; and the oversight of cybersecurity strategy.”
Today, organizations face increasing dependence on the function of Govern. As seen in the most recent “SEC Cybersecurity Rule,” heightened emphasis on cybersecurity means greater influence and responsibility for cybersecurity. Laws such as the General Data Protection Regulation have set a high bar for requirements in organizations and underpin the foundations for many standards and guidelines. In the U.S., professionals have individual state laws to comply with, which are changing constantly. California is known to have the most stringent and progressive stance on privacy, and many states have adopted the California Consumer Privacy Act as the requirement to meet. Washington state has the Washington Foundational Data Privacy Act, Texas passed the Texas Data Privacy and Security Act in 2023, and there are drafts of federal laws to enhance and strengthen the Federal Privacy Act of 1974. As these laws are passed and revised, organizations must keep track of them, and it is crucial to remember that company policy, standards, and guidelines must yield to the higher order lest a company face severe punishment. Executives, leadership, and key personnel are bound and personally responsible to ensure adherence as outlined in FFIEC and fiduciary duty.
There is no need to reinvent the wheel, but rather an understanding of how existing laws, regulations, policies, and industry standards apply to and are applied to the organization you support.
Like a lighthouse, the function of Govern in cybersecurity and an organization is the beacon or navigational aid illuminating the edges of safe travel. In another analogy, Govern provides the guardrails and markings on the superhighway of business activity that establish the rules of the road.
As a professional, it is your responsibility to understand the needs of the business and help define what these guardrails include. There is no need to reinvent the wheel, but rather an understanding of how existing laws, regulations, policies, and industry standards apply to and are applied to the organization you support. One of the most practical applications of Govern is seen in the adoption and adaptation of the Cybersecurity Framework by NIST.
When you are tasked to define these strategies, roles, responsibilities, authorities, policies, processes, and procedures, and the oversight thereof, you must remember that the business’s number one function is to earn a profit. Therefore, you are to provide a way forward that enables the business to accomplish this goal without unnecessary or undue risk. Like navigating a minefield, you mark the path forward. Cybersecurity does not stop the business from stepping off the marked path; we call out the dangers
Therefore, you are to provide a way forward that enables the business
In the workplace, we most commonly see Govern employed through the policies and standards of an organization. Specific cybersecurity teams extend these by providing guidelines. Guidelines are instructions for the business and business units, teams, and individuals on meeting requirements. Guidelines are akin to the easy button ‘how-to’ manual for standards. Usually, a guideline will also provide the ‘easy button’ for meeting a standard by integrating with specific technology or solutions provided as an enterprise capability. From there, business units, teams, and individuals extend these policies and standards through procedures and processes. Within these constructs, the crucial element is to define the repeatable and objective quantification and qualification of risk.
Defining risk includes establishing the risk management strategy, expectations for risk, and policy to address when risk is acceptable when it requires an exception, and requirements to control risks. Remembering that the six functions should be addressed together will help understand how Govern transcends and comingles with the other functions.
When defining risk, we must have a systematic approach to follow. Within the policies and standards, we must identify what risk is, the levels of risk, how to measure it, and what is considered reasonable risk within our organizations. We can borrow these definitions by relying on the foundations of requirements from law, regulations, and industry standards. Then, we must employ them within our organization. Often, we abstract risk into low, medium, and high and assign a scoring system to the different levels. As we identify potential risks, we also identify what mitigating controls exist or will exist to gain a complete picture of the residual risk to the organization. Always remember that the business ultimately retains decision-making authority, and within cybersecurity, the Govern process must include a mechanism for the business to overrule.
There are many systematic methods of risk modeling, otherwise known as threat models. I am a fan of the threat modeling process provided by OWASP. While targeting applications, this model is holistic in its approach and applicable to infrastructure threat modeling.
Another set of controls to adopt is the Zero Trust Architecture. This strategy removes the concept of implicit trust in a network perimeter. It applies the real-time review of authentication (Auth-N) and authorization (Auth-Z) to every transaction and every asset within an organization. Zero trust addresses risk by removing silos from the technology stack and is often accompanied by the phrase; identity is the new perimeter. Modern computing environments, or hybrid environments that combine on-premise (or traditional) networks and data centers with cloud resources are best protected through Zero Trust Architecture.
While unpacking the additional functions of Cybersecurity, we will have the opportunity to explore how the definitions of risk and risk management strategy outlined in the function of Govern apply. In future posts, I will dive deeper into the application of the Govern function, including establishing the markers for an organization to use. We’ll have the opportunity to align components from the function to Zero Trust Architecture and to address your feedback and questions.