CISM, part 1, enterprise governance

As a basic organising principle, the post structure for this is going to align (broadly) with the Certified Information Security Manager (CISM) job practice areas:

Area% Test Score
Governance17
Risk Management20
Info Sec Program33
Incident Management 30

But, I'm going to stray from the path sometimes if it makes sense to do that.

Let's dive in.

Enterprise Governance

What is it and what does it look like?

It's the process of the gods on high (senior mt) exerting control over business functions to make sure that the business meets its vision and objectives. Basically, all the stuff that you only really understand once you've been institutionalised: Policies, objectives, delegation of authority and so on. 

But its not just faeces rolling down hill. Oh no no no. It's a two way process. They also want to see you dance up that hill, slippin' and slidin', with your performance indicators and reporting metrics to let them know whether the river needs to increase its flow or not. 

Infosec Governance

Infosec governance is a fractal pattern of this bigger structure. It's also concerned with personnel management, vulnerability management, business continuity, risk management, and so on. It too uses metrics and scorecards to work out whether this stuff is working. 

The purpose of info sec gov is to help the business achieve its overall objectives.

Now, like all niche things, infosec managers face an issue when they feed up into the wider governance structures. No one cares about this stuff provided things work and no-one has been hacked. And, moronically, it is still culturally acceptable for people to say "I'm just no good a tech stuff," which compounds the communication problems. (How is this still a thing!? Computers have been a workplace fixture since the nineties...) 

Until this attitude is fixed at a societal level, the infosec manager has to be both interpreter and teacher to the rest of the wider governance structures.

Info sec governance is (obviously) connected to other governance systems, such as IT governance. But, while some might say it's part of IT Governance, or could be, IMO those people are wrong. It's got to be independent. It's all about checks and balances. Have info sec as part of your wider IT team? You're on a hiding to nothing. 

I'm sorry mr IT director, but would you mind terribly delaying this multi-million pound infrastructure thing you're doing? You see, I have some sec concerns... What's that? You want to discuss it at my next performance review... oh, well, let me just check something... you know? It looks like those concerns have somehow melted away...

What does good info sec governance look like?

Well, it's basically what we just spoke about. It's having everything together so that what you're trying to achieve is clear (objectives) and how you're going to achieve it is clear (all wrapped up in a strategy). Then, its about linking your documentation (and your thought process) to the goals of the wider business, and setting out the standards/processes etc. to which the rest of the org needs to work.

Obviously, all this stuff doesn't exist in a vacuum, so the info sec manager needs to be in a two way conversation with the wider business, and the wider operating environment. No good implementing a fortress of a sec program when the rest of the business is hell bent on "moving fast and breaking things." That's just going to lead to people bypassing you. 


That said, the law is the law - so you gotta know about rules and regs as standard. In the UK, as a starter for ten: The Data Protection Act 2018 (DPA 2018), which enacts the General Data Protection Regulation (GDPR) into UK law, governs the handling of personal data and mandates strict security protocols (and the complementary Privacy and Electronic Communications Regulations (PECR)) . The Network and Information Systems (NIS) Regulations 2018 impose security requirements on operators of essential services and digital service providers. Additionally, the Computer Misuse Act 1990 outlines offenses related to unauthorized access or interference with computer systems. The Investigatory Powers Act 2016 regulates surveillance and access to communications, relevant for managing lawful interception and data protection practices.

+ others + the rules and regs that then apply to your area... 


What's really important is that good info sec governance sees its activities take place in a methodical environment and determined by written docs. It's not ad hoc. It's ain't about busking it. If you can't say "this is the meeting/forum/group where we talk about x" or "this is the doc where it sets out who is a member of y group" then you're not doing good governance. 

Ultimately, there are two outcomes if everything goes well: improved reputation (of you, the business, the team), and more trust as a result. 

Story time

The way I see it, governance is similar to big "G" governance. At least for democracies. 

As a core principle, you have separation of powers. Judiciary vs legislature vs the executive. 

In a business, the executive is basically the CEO and their minions (c-suite folks). They can make decisions and have a massive amount of freedom, but this is constrained by organisational policy, the businesses charter, and so on. 

The people who decide on that is the board. They're the legislature (this analogy is already wearing thin). They vote on and set the guardrails for the C-suite. 

The judges? Well, I guess that's the external operating environment. The regulatory landscape. The big "L" law. This is the thing that keeps the board and the c-suite in check. 

Let's say that the CEO wants to sacrifice an employee to please the Dollar God. 

Well, first, they've got to check that the company guardrails allow them to make that sort of decision. If not, then they got to ask the board to change the rules to let them. 

Then, if the board says, "yeah, sure, but don't make a mess," then there is one final "check" on the CEO - laws and regs. 

Zooming into the engine rooms of the business, governance extends further and is then all about helping these three power bases interact to help the business progress. 

You've got groups meeting to draft up the sacrifice strategy. You've got another group designing the policy and accompanying scorecards to work out sacrifice rates and performance. You've got other people planning to check that people carrying out the sacrifices are doing it according to what the policy says. And... you've got the compliance people who are checking what the external laws/regs say about sacrifice. 

Ultimately, if it's good governance, then internal governance will conclude that it would not be in the business interest to sacrifice an employee. 

Good governance saves lives.