Cybersecurity governance is a constant balancing act, and that balance will shift as organizations mature. Over time, we have seen organizations shift from a focus on compliance and risk mitigation to one of risk management and cybersecurity preparedness. In the future, the conversation will continue to evolve, and we will see an increased focus on cybersecurity collaboration and agility.
Cybersecurity Governance in the Next Normal
The current regulatory climate in the United States is in a state of flux, and the implications for cybersecurity governance are clear. The regulatory landscape is constantly evolving, with new laws on the horizon such as the California Consumer Privacy Act (CCPA) and GDPR.
At the same time, there are other regulations that do still interpret by regulators such as FISMA, HIPAA, NIST SP 800-53, NIST SP 800-171, PCI DSS 3.2. These regulations all have implications for cybersecurity governance. While these regulations provide some structure for cybersecurity governance, they can also be cumbersome and overly prescriptive.
We’ve seen many organizations struggle with these regulations because they have created operational silos that do not align with their overall cybersecurity strategic direction.
In order to be successful in this evolving regulatory environment, organizations must take a holistic approach to cybersecurity governance and adopt a framework that can support continuous adaptation throughout the lifecycle of an organization’s security program.
Security practitioners must develop a consistent set of controls across business units or lines of businesses (LOBs) in order to ensure consistency in security operations across the enterprise. This means establishing common security policies that align with your organization’s overall business strategy and vision.
Next Generation Governance: A Holistic Approach
As mentioned above, it is important to take a holistic approach when designing your security program so you can adapt it as your organization evolves over time.
Next generation governance enables you to do just that by giving you the ability to apply consistent controls across multiple business units or LOBs in order to deliver enterprise-wide security capabilities—but also allow some flexibility within each unit so they can develop unique programs that are relevant to their specific needs and risk profiles.
This works well when you’re dealing with heterogeneous environments where LOBs typically implement different technology platforms that do best suite for them based on their own unique risks and threats they face.
This would include things like data analytics versus edge computing versus artificial intelligence versus blockchain platforms where each of those does focused on a different aspect of your organization’s business.
In order for this to be successful, the governance process needs to flexible and adaptable to changing business requirements. Also, it ensures compliance and regulatory expectations do meet. This is where automation has a key role to play.
Next Generation Governance: Automation
Automation helps address the challenges of governance in next-generation cybersecurity programs. It does this by providing the following capabilities:
While organizations should have an overall security strategy in place, they must also have a plan for how they will respond to changing business conditions and the ever-evolving threat landscape. For example, it’s important to know how you’ll respond if your supply chain is compromised or breached by hackers.
Also, will you change your product offerings? Will you adjust your security capabilities? Will you re-evaluate your supply chain partners?
Next generation governance enables you to do just that by giving you the ability to apply consistent controls across multiple business units or LOBs in order to deliver enterprise-wide security capabilities—but also allow some flexibility within each unit so they can develop unique programs that are relevant to their specific needs and risk profiles.
