Friday, June 20, 2014

Calls for Enhanced Enterprise Security Governance Starting to Steamroll


Though I've been approaching this issue from a sector-specific perspective for years, lots of what's been in the news lately (and I mean lately) is intended for all technology-enabled sectors. Which pretty much means every business and every organization that intends to maintain consistent and reliable operations in the near and mid-term future.

First off, and with origins that predated the Target breach that's credited with generating most of this activity, was DOE's Energy Advisory Committee giving thumbs up in May to a paper on this topic on Security Governance. It proposes that DOE pursue potential upgrades to how energy companies organize and run themselves from a security perspective. Titled: EAC Recommendations for DOE Action Regarding Implementing Effective Enterprise Security Governance - Outline for Energy Sector Executives and Boards, among other things, this paper lists the following "Characteristics of Effective Security Governance":
  • Clearly defined responsibilities from the board of directors to senior leadership to employees 
  • Presence of an active Security Governance board comprised of senior stakeholders from across 
  • the company 
  • An executive owner of enterprise security: with purview over IT, OT and physical security policy designated CSO or similar 
  • Striving for 100% alignment with of security with business/mission 
  • Using measurement of key indicators to increase awareness and drive improvement (with 
  • maturity tools like DOE's ES-C2M2

Then there's this from Reuters in May: Exclusive: U.S. companies seek cyber experts for top jobs, board seats, which emphasizes the concept of getting the security chief out of IT:
While a CISO typically reports to a company's chief information officer (CIO), some of the hiring discussions now involve giving them a direct line to the chief executive and the board, consultants and executives said. After high-profile data breaches such as last year's attack on U.S. retailer Target Corp, there is now an expectation that CISOs understand not just technology but also a company's business and risk management.
The Securities and Exchange (SEC) commissioner recently added his voice as well. In SEC Commissioner Calls on Corporate Boards to Address Cybersecurity, Commissioner Luis Aguilar  expresses his hope for governance improvements this way: “One would expect that corporate boards and senior management universally would be proactively taking steps to confront these cyber-risks.”

Then, from the International Association of Privacy Professionals online journal, there was Cybersecurity in the Boardroom: The New Reality for Directors, which included a list of recommendations, some of which have particular relevance for security governance and culture:
  • Develop a high-level understanding of cyber-risks facing the company through briefings from senior management and others
  • Ensure that the company has at least one committee that is responsible for overseeing and understanding cybersecurity issues, controls and procedures
  • Facilitate a culture that views cybersecurity as a business issue that all employees should understand and participate in. As part of that, companies should consider employee training and awareness programs
  • Include a cyber-expert on the company’s board of directors or receive regulator reports from a cybersecurity expert that are discussed at board meetings
So, as you can see, what once felt like a voice in the wilderness is now becoming a chorus.  Or you could say a trickle is becoming a deluge.  No matter the metaphor, will a little help from the Federal Government, and a lot more from The Real World, enterprise security governance is beginning to get the attention it deserves.

Image credit: Peter Skelton



13 comments:

image masking service said...

I have read your blog & it was really informative & helpful for us. thanks.

Unknown said...

I think this all due to the ridiculous amount of lost credit card numbers over the past little while. Security is a must and I'm glad enterprises are taking it more seriously. Personal security is important too. It all starts with personal security.

Gerald Vonberger | http://www.polosecurity.com/en/services.html

CCTV Camera in Lahore said...

At whatever point security of home or business spot is concerned CCTV or Closed Circuit Television rings a ringer first. Great post..Thanks for sharing the post.

essay helper online said...

I love reading your articles. Thank you very much. Write more.

pay someone to do my homework said...

Thanks for your answer, it is very valuable to me.

buy essay said...

Thank you for these posts and links, I will definitely look at your site.

Charlotte Smith said...

DealRoom is a perceived virtual information room pioneer in the vitality part. We convey a degree of customized client care that is bizarre in business today—supported by execution and development that our rivals can't coordinate. Our exhaustive usefulness incorporates simple transfer and ordering, world class advanced rights the board innovation,for more detail oil and gas data room please visit us.

Brainbox said...

I had previous dental work done and teeth were in terrible shape. The staff at this office were kind and helped me through the whole process. top Dental Center in Reston

Monnika Jacob said...

As far as I have analyzed, all the multinational companies have shifting their own businesses from physically to virtually. People will now work from home and this is our future. Buy Essay Online

Guard24 said...

That was informative to read you blog. Keep sharing. thanks.
https://www.guard24.ca/blog

Guard24 Security Services Edmonton said...

Really informative blog. To know more about Security services Edmonton please visit
https://www.guard24.ca/

Cyber Security Solutions said...

Thanks for sharing such an informative blogs. If you are looking for Information cyber security consulting services then connect with our experts.

Qurat Ul Ain said...

Thanks for providing us with great information about security risks.
CCTV Installation in Dubai