2. 2
Problem statement
• Information security is associated with technology
• Interest of decision makers not proportional with the dependence on
information technology and related information security issues*
• Information security seen by senior management and board as a too
complex and technology oriented
• Information security considered as a discretionary budget line item*
• Difficult to align information security with business requirements
taken into account the defined risk appetite
* Julia H. Allen, Governing for enterprise security Carnegie Mellon Cylab
3. 3
Research questions
* knowledge or perception of a situation or fact (Oxford dictionary)
Which level of information security governance “awareness” is
present at the level of Board of Directors and executive
management in a contemporary enterprise?
• Which practices (structures, procedures) have been identified?
• To what extent are these practices considered effective?
• Which practices are well adopted in today's enterprise?
• What are the main drivers for implementing these practices?
4. 4
Methodology
Literature
research
Public
surveys
Custom
made survey
Academic papers
Books
Papers from commercial companies
Surveys from large consultancy firms
Various industries
Different levels of hierarchy
Respondent volume ranging from + 100 to +9000
Focus on board and executive management
Peer review on which practices deemed most important
Small number of respondentsIdentification of common practices
with focus on
Board of Directors
and
Executive Management
Frameworks,
methodologies,
standards
ISO 2700x
COBIT 5
ISACA, Business model for information security
ISC2, common body of knowledge
NIST 800-53
5. 5
Background on master project
Information security and cyber security hot news items
Many high level incidents
Information security is a shared responsibility
Information security and technology change at high velocity
Aligning business, technology (IT) and information security remains difficult
6. 6
What is information security governance
Definition (NIST)
Information security governance can be defined as the process of establishing
and maintaining a framework and supporting management structure and
processes to provide assurance that information security strategies are aligned
with and support business objectives, are consistent with applicable laws and
regulations through adherence to policies and internal controls, and provide
assignment of responsibility, all in an effort to manage risk.
Information security governance framework (ISACA)
• A comprehensive security strategy explicitly linked with business and IT
objectives
• An effective security organisational structure
• A security strategy that talks about the value of information protected and
delivered
• Security policies that address each aspect of strategy, control and regulation
• A complete set of security standards for each policy to ensure that
procedures and guidelines comply with policy
• Institutionalised monitoring processes to ensure compliance and provide
feedback on effectiveness and mitigation of risk
• A process to ensure continued evaluation and update of security policies,
standards, procedures and risks
7. 7
Information Security Governance at the Board
• Risk Management, setting the tone by defining the
risk appetite
• Identify information security leaders, provide
resources and support
• Direction, strategy and leadership, put information
security on the board's agenda
• Ensure effectiveness of the information security policy
• Integrate a strategic committee
• Staff awareness and training
• Measurement, monitoring and audit
Identified
practices
Effectiveness
Adopted
Drivers
for integration
8. 8
Information Security Governance at the Board
• 23% see lack of leadership as an important obstacle in the
overall strategic effectiveness of their organisation’s security
strategy (PWC, 2012)
• 68% assume their information security strategy is aligned
with the business needs (E&Y, 2012)
• Little or no involvement when aligning risk-based security
with business objectives(Tripwire-Ponemon, 2013)
• Lack of strict segregation between risk and audit committee,
only 8% and half of those only oversee privacy and security
(Jody R. Westby, 2012)
• 16% of board members is prepared to deviate from risk
appetite (Koen Maris, 2013)
• 68% of the CRO functions have a direct reporting line to the
board
Identified
practices
Effectiveness
Adopted
Drivers
for integration
9. 9
Information Security Governance at the Board
• 27% indicate that their board had an outside director with
cyber security experience though 64% think it is important
to have it (Jody R. Westby (2012)
• 42% have their information security strategy aligned with
business objectives(E&Y, 2012)
• 50% thinks information is too technical to be understood
by non-technical management(Tripwire-Ponemon, 2013)
• 33% of the boards address Computer and information
security (Jody R. Westby, 2012)
• 67% of board approve risk appetite statement (E&Y,
2013),
• 2/3 of Forbes Global 2000 companies have full-time
personnel in key roles responsible for security and privacy
Identified
practices
Effectiveness
Adopted
Drivers
for integration
10. 10
Information Security Governance at the Board
• Severe incidents
• Legal/compliance
• Regulations
• Accountability
Identified
practices
Effectiveness
Adopted
Drivers
for integration
11. 11
Information Security Governance at the Executive Committee
• Information Security Framework
• Chief Security Officer / Chief Information Security Officer
• Implementation of information security
• Monitoring and assessment
• Awareness and communication
Identified
practices
Effectiveness
Adopted
Drivers
for integration
12. 12
Information Security Governance at the Executive Committee
• Large majority of staff knows the security policy, at least
of its existence. (Koen Maris, 2013)
• Only 26% of respondents with a security policy believe their
employees have a good understanding of it. (PWC, 2012)
• Almost 40% of the CISO/CSO reports to the CIO, almost
30% to someone other than CFO, CEO/COO.(Jody R.
Westby, 2012)
• 80% claim not to evaluate the ROI of security
investments(PWC, 2012)
• Adopting to new risks is done by blocking for approx. 50%
of the companies (E&Y, 2012)
• Only 8% of CSO/CISO measure the value and
effectiveness of their enterprise cyber security organisation
(Deloitte, 2012)
• Reporting only occurs in case of severe incident and happen
at a too low level (Tripwire-Ponemon, 2013)
Identified
practices
Effectiveness
Adopted
Drivers
for integration
13. 13
Information Security Governance at the Executive Committee
Identified
practices
Effectiveness
Adopted
Drivers
for integration
• 95% of large companies have a security policy in place
(PWC, 2012)
• Majority of Exec’s agree that they should have someone
responsible for information security (Koen Maris, 2013)
• 47% of the companies have an information security
strategy committee in place (PWC, 2012)
• 56% claim security budgets are in a federated model, making
it hard to measure and determine the real available budget.
(Deloitte, 2012)
• About 50% monitor and measure trends in security/incidents
costs. Approx. 20% does not evaluate at all (PWC, 2012)
• Only 32% of staff in claim to have received awareness
training (ESET, 2012)
14. 14
Information Security Governance at the Executive Committee
Identified
practices
Effectiveness
Adopted
Drivers
for integration
• Response on an incident
• Legal and compliance
• Not done because it is too technical & complex
• Reduce risk
• Severe incident
15. 15
Conclusion
Board
Exec.
committee
• Unclear if a company having thoughtful leadership and
enterprise risk management in place also had identified a
security leader
• Audit and monitoring parts are well in place but measuring
effectiveness remains doubtful, not always strict separation
between risk and audit committee
• Leadership, alignment and value are the least adopted
• Severe incidents and legal, regulatory and compliance
remain the main drivers for integration
16. 16
Conclusion
Board
Exec.
committee
• An ISMS is often in place, but the level of understanding and
knowledge across the company remains low
• A CSO/CISO is in place in the majority of larger companies.
Measuring the effectiveness remains difficult.
• Reporting line is not always clear, and reporting bottom-up
shows some clear shortcomings
• Awareness and steering committee have a low degree of
adoption, though the majority recognises the importance of
awareness
• Severe incidents and legal, regulatory and compliance
remain the main drivers for integration
17. 17
End Note
• Would good ERM and correct bottom up reporting provide better awareness and
increase the alignment for information security?
• The effectiveness and the links between structures and procedures are not well
addressed. How do the influence each other?
• Would good bottom-up reporting provide better strategy?
• More questions than answers….