Governance

How does the word “governance” make you feel? In full transparency, the word makes me edgy and disturbed.

I really don’t like the word “governance”.

Maybe you’re a like me, and “governance” gives you a case of the heebie-jeebies. What about this word makes us feel this way?

Two things (for me anyway); I don’t like being told what to do, and bad governance seems more prevalent than good governance. Maybe I’d cringe less if good governance were more common in our industry.

Let’s do three things here; 1) define what governance is, 2) describe bad governance, and 3) show what good governance looks like. If you think information security governance is a waste of your time, you’re wrong!

Governance is critical to every information security program without exception.

If this is true, we’ll need to do some explaining.

What is Governance?

Literally. Merriam-Webster defines “governance” as:

the act or process of governing or overseeing the control and direction of something (such as a country or an organization) 

Further definition, this time using the word “govern”:

• to exercise continuous sovereign authority over – Sovereign means supreme authority. Authority without accountability can easily lead to despotism, and that’s bad! So, governance without accountability is also bad, really bad.
• to control the speed of (a machine) especially by automatic means – Could apply figuratively, but this is more like a governor on a motor.
• to control, direct, or strongly influence the actions and conduct of – This one works I think.
• to exert a determining or guiding influence in or over – Yeah, even better. I especially like the use of the word “influence” versus manipulation. Different things.
• to serve as a precedent or deciding principle for – Another definition that fits.

OK, now to apply this knowledge of “governance” to information security.

Bad Governance

Bad information security governance can be more damaging to an organization than no governance at all. Here are some reasons for bad governance:

• Poor Alignment – Bad governance starts with poor (or no) alignment with the organization’s mission. The mission of the organization defines its purpose and its reason for existence. ALL things done in the business should be aligned with the mission, including information security.
  • If the organization has no mission, it is purposeless and directionless. Best of luck trying to establish information security governance in this organization! You’ll need it.
  • If the organization has a mission, but information security governance is miss-aligned, we’ll run into all sorts of issues. Issues can include lack of business “buy-in”, angry/disgruntled personnel, culture problems, constantly changing direction (without progress), miss-appropriated funds, etc.
  • If you don’t know whether your organization has a mission, go find out! It’s like really important.
• No Roles and Responsibilities – Start with a simple question, “Who’s ultimately responsible for information security here?” Too many organizations have no answer or a crappy answer to this fundamental question. From there, begin to define all the things that need to be done (responsibilities). Assign responsibilities to people (roles), and you’re on your way to better governance. People don’t inherently know what their role is or what their responsibilities are. Define and enable.
• No Accountability – Holding people accountable just makes sense. Roles, responsibilities, and rules without accountability are all empty; they’re useless.
• Poor leadership – Not just business leadership, but information security leadership. We have a lot of CISOs, directors, and managers in this industry, but not enough leaders. Leaders define direction and become people that other people want to follow. Can you think of an information security leader you didn’t want to follow? Don’t be that person.

Governance just for the sake of governance is dangerous. Bad governance is the sort of governance that makes me/us cringe. Ick!

Good Governance

Good governance is attainable, and it’s beautiful.

We already mentioned the key, it’s alignment.

This is where there’s harmony between the business and information security. The purpose of the information security program fits nicely within the organization’s mission, and even drives the mission forward. Management sees the value with information security. They understand how information security is vital to the organization’s mission and not just a cost center. Management champions the cause because they get it.

Information security doesn’t get in the way, it’s part of the way.

Roles and responsibilities are clearly defined, well communicated, and everyone is enabled to do their part. Information security is part of the culture. Accountability isn’t punitive, but empowering. There are incentives for doing good things instead of punishments for making mistakes.

This sort of governance is led by information security leadership who has a vision for information security. The vision clearly benefits the organization as a whole, not just the security team or IT. The vision is clear and people can see how it benefits them personally. They don’t just tolerate information security, they want to be part of it.

Information Security – The Game

Good governance can work like a good board game.

• Alignment – We play a board game for a reason. We want to have fun, we want to win, we want to socialize, or whatever. It’s an enjoyable experience, and we’re all sitting down at the table together for a reason.
• Roles and Responsibilities:
  • Management – In a board game, someone defined the rules for playing the game. We need to define the rules for our information security game. Don’t lose track of the purpose (See: Alignment).
  • Information Security Leadership – They helped design the game with business management, so they should be experts on how the game is played. This is also the person who sits down, reads/understands the rules for the game, then helps the players play the game correctly.

Quick Question: In a board game, how many people read the instructions?

Answer: One. One person reads the rules, disseminates the rules to the other players, and instructs people how to play.

Seems logical.

Another Quick Question: Why do we ask everyone to “read and acknowledge” information security policies (in a poorly governed security program)?

Answer: You shouldn’t. It’s bad governance and a bad precedent. Nobody will read your policies!

• • Employees – The players. They’re expected to play the game according to the rules. They understand the importance of the rules, and understand the reason for the game. They may want to win (positive reinforcement), enjoy the experience, or whatever else motivates them.
• Accountability – As the game is played, it’s played according to the rules. One player isn’t permitted to define his/her own rules or cheat. Accountability is built into the game.

Conclusion

Good governance is critical to the success of all information security programs. The definition of “good” depends upon your organization’s mission, but in all cases it’s supported by alignment, roles and responsibilities, accountability, and leadership.

Basically, three options:

1. No Governance = Anarchy
2. Bad Governance = Chaos, waste, loss, false sense of security, mutiny, etc.
3. Good Governance = Harmony, effectiveness, simplicity, relaxation, calm, value, etc.

You make the choice (assuming you’re empowered to), but I’ll choose option #3 please.

Honorable Mention for “G”

Again, many great suggestions from friends. Here are the honorable mentions for the letter G:

• Gamification
• GLB Act or GLBA
• Governance, Risk And Compliance (GRC) – NOTE: actually three different (but related) things rolled into one; good for selling more stuff.
• Gray Box Testing
• Group Policy Object (GPO)

OK, now to figure out what “H” will be…