IT security is not about protecting IT, it’s about protecting the business, organization, or mission.

IT Security Governance links business risks to IT risks and threats. No IT control should be implemented without being able to tie back to a business risk it is helping to manage, mitigate, or reduce its impact.

Every enterprise has the goal to stay in business, and there are numerous examples in the news every week proving that IT security breaches or incidents threaten that goal.

Every organization has some level of Governance Risk and Compliance (GRC) program. Even if it’s needing to meet their industry or customer security requirements, or it’s just the business owner saying: “This information (or application) is important to our business and must be protected.” Some organizations manage their program with an enterprise GRC technology platform; while others might just have a spreadsheet.

As well as linking business risks to technical controls, Governance also establishes ownership; technical people don’t make business decisions, and risk-based decisions are business decisions. Identifying business ownership for data, systems, applications, and even infrastructures is foundational. Governance is the link between the humans who manage the technical controls, and the business owners of the data/systems/applications to align their requirements.

Some security standards and guidelines are mandatory for organizations based on their industry, while others are optional--but can show leading practices for security maturity.

While being compliant to one or more of these regulations or standards doesn’t necessarily make you secure, not being compliant is a business risk. How big an impact depends on the organization and industry: non-compliance could be a simple fine, or the prevention of bidding on or doing work for that government or industry.

Many organizations have some industry regulation they need to meet. If an organization is a US Government contractor, not meeting the NIST CSF will impact their ability to support Government contracts. If they are a service provider, having ISO 27001 certification might help with 3rd party assessments by customers, or might be a requirement to bid on a service contract. Being PCI compliant is mandatory for retail or anyone who takes credit cards, otherwise the business might be subject to a fine, or prevention from taking credit card transitions.

A small percentage of organizations are not formally subject to any regulation, industry standards, or other framework. They face a different challenge of managing a cybersecurity program. They often struggle with where to start, and need some benchmark to describe to customers or 3rd party partners (like insurance companies, manufacturing companies, B2B retail, or legal firms). This is where using one of the more universal security frameworks, like NIST CSF, ISO 27001, or CIS Critical Security Controls are a good place to start.

The tool most commonly used for the business risk/technical risk mapping is a Risk Register. Basically, a risk register is a list of what IT threats could impact the organization, including their likelihood, and impact.

This could be a spreadsheet, or full GRC application platform that lists, tracks, and measures risks based on categories and severity, then tracks what controls are in place to manage the risk, and to what extent the risk is managed to appropriate levels. This level could be qualified or quantified.

Qualified means it’s an estimate of the impact defined by the business leadership. They might say “it would be really bad if we lost that data.” Or on the other end, could be, “it would be inconvenient, but wouldn’t impact the business if we lost that data.” Often these are noted as an impact range of 1-5 from list to most impactful.

Quantified is using a calculation to determine the percent likelihood of an impact, and based on business data, calculate a dollar value to the impact. This takes in account the value of the data and the maturity and comprehensiveness of the security controls protecting that data, as an example. This might end up with a 50% likelihood that data will be comprised, which would be a $15 million dollar impact. There are guides from FAIR Institute and CIS Risk Assessment Methodology (RAM) that have documentation how to conduct quantitative risk analysis.

No matter which approach, the goal is to prioritize protections and detections that would draw down the origination’s risk based on what would be most impactful.

I put together some questions below to help determine how reliant on technology the organization is, and how any disruption, corruption, or unauthorized access would impact the business. This can also be a starting point for identifying a control framework.

10 questions for basic governance

1. How does your organization make money?

2. What digital assets of value do you create, store, or control?

3. Are there business processes that must be functioning, stable and resilient for the business to succeed?

4. What are the top 5 worse-case scenarios that would case business impact?

5. Do any of the 5 worse-case scenarios rely on technology?

6. Would these scenarios be related to loss of data, loss of operations, or inability to conduct business?

7. What technology protections and detections are in place to reduce the risk of these scenarios being realized?

8. What governmental or industry regulations do you need to adhere?

9. What customer or partner contractual security requirements are accountable?

10. Are there NDAs or SLAs with customers or partners that you must meet or face material damages?

The final discussion around Governance is about business leadership buy-in. The leadership must understand their role in IT Governance. They can’t just let the IT Security leader define what is important to protect, and what level of controls need to be implemented. This understanding of the business leader’s role is critical to a successful security program. It takes cooperation, and how you link between IT security and business risk.

Rick Doten is VP, Information Security at Centene Corporation, and CISO of subsidiary Carolina Complete Health based in Charlotte, NC. Previously, Rick has worked as Virtual CISO supporting international companies. Rick has alternated between being a management consultant and CISO throughout his 25+ year cybersecurity career, where he has run ethical hacking, incident response and forensics, and risk management teams. Rick is an avid speaker at cybersecurity conferences, a guest on cybersecurity podcasts, and is a member of The CyberWire Hashtable. He is part of the editorial panel of the CIS Critical Security Controls, and has a YouTube channel with videos going into the updates and changes into each of the 18 new CIS CSC v8 Controls. Rick also developed the curriculum for a Cybersecurity Master’s degree program for an International University. He has been a MACH37 Stars Mentor since 2013.