Skip to main content

Why everyone working in cybersecurity needs to care about governance

October 03, 2023

Nick Lines

Regulation of cybersecurity is also only going in one direction: there’s more of it everywhere, and the common thread is the word “governance”.

No matter your role in cybersecurity, you need to care about governance.

It might be the last thing you want to think about, but ultimately, by understanding your organization’s approach to cyber governance, you’ll be better positioned to do the stuff that you enjoy rather than react to requests for yet more data or evidence.

In this article, I’ll explore the trends making cybersecurity governance more prominent and the impact on security teams.

What is cybersecurity governance?

Governance is, according to the UK’s Chartered Governance Institute, a system that provides a framework for managing organizations. It identifies:

  • Who can make decisions.
  • Who has the authority to act on behalf of the organization.
  • Who is accountable for how an organization and its people behave and perform.

More focused, and more relevant to cybersecurity, is the CISA definition of cyber governance:

“Cybersecurity governance is a comprehensive cybersecurity strategy that integrates with organizational operations and prevents the interruption of activities due to cyber threats or attacks. Features of cybersecurity governance include:

  • Accountability frameworks.
  • Decision-making hierarchies.
  • Defined risks related to business objectives.
  • Mitigation plans and strategies.
  • Oversight processes and procedures.”

While you may not think you’re involved in the governance of cybersecurity, the reality is that you will be one way or another. Therefore it’s worth knowing the impact and importance of your work in the overall security, risk, policy and governance of the organization: understanding your context in the overall picture is key.

Why is cybersecurity governance becoming more important?

It sounds like hyperbole, but your company’s value is now directly linked to your cyber strategy, procedures and governance. I’d argue this isn’t just correlated, it’s a causal relationship.

Two events in August bring it to the top of mind and reinforce the importance of governance: the US Security and Exchanges Commission (SEC) cyber disclosure announcement, and NIST CSF 2.0 public draft being published.

The SEC has had enough of its cyber disclosure recommendations and guidelines being “inconsistently applied”, or simply ignored, and has now adopted the proposals made last year.

There appears to be few changes from the proposals, so our previous whitepaper is still relevant. In summary, all publicly listed companies in the US must, starting December, disclose:

  • Timely reporting of material cybersecurity incidents.
  • Periodic reporting of material cybersecurity incidents.
  • Cyber governance policies and processes for identifying and managing risks and impacts from cyber threats, including board and management oversight and expertise.

Two of these topics relate to incident handling and disclosure, and the largest one focuses on governance. And, of course, your incident handling will require governance and oversight… So, it’s all about governance.

Proposals did include a requirement to disclose the board’s expertise, if any, in cybersecurity and that has been dropped – however it’s interesting to note that the word expertise has made it into the disclosure around governance and process.

For incident handling, as previously noted, the word “material” is open to a lot of interpretation, however recent tests of materiality suggest that if something might influence an investor’s decision to put money down, it should be considered material. That’s a low barrier in my view. And that will need an agreed approach to agreeing materiality, and a process for who makes the decision… In other words, policy is needed, which needs governance.

NIST’s new Governance pillar

Barely two weeks after the SEC announcement on August 8, 2023, we saw the publication of the first public draft of the NIST Cybersecurity Framework (CSF) 2.0, which has the laudable aim to help understand, assess, prioritize, and communicate cyber risk.

NIST CSF 1.1 defined five core functions of cybersecurity:

  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recover

NIST CSF 2.0’s biggest proposed change is the addition of a new function, which was implicit in previous versions, and is now called out as a function in its own right: GOVERN.

The public draft defines the govern function’s purpose as to “Establish and monitor the organization’s cybersecurity risk management strategy, expectations, and policy.”

Circular chart showing the five pillars in the NIST framework

The NIST CSF also has tiers that reflect a maturity of approach. These tiers (partial, risk informed, repeatable, adaptive) remain the same, however a slight update to language and focus sees “process” become “governance”; “program” become “management”; and “external participation” evolve to “third party risks”. This reflects the increasing prominence, and indeed maturity, of cybersecurity. And, of course, the importance of governance!

Chart showing the four Tiers of risk governance

The net result of CSF 2.0 is to place more focus on the policies, procedures, risk management and structure of cybersecurity across organizations, and ensure that a continuous process is applied not only to protection and detection, but to policy and governance at the highest level.

It’s time for change in cybersecurity governance

If you’ve been holding off preparing for the SEC changes because the proposals were just proposals, then it’s now really time to get moving, especially with the added focus on governance that is coming in NIST CSF 2.0. Being able to understand, evidence and take action to improve your security posture – rather than just respond to events – is expected. That requires governance, and governance requires data, information, knowledge and wisdom.

Given that security teams consistently tell us they are spending an increasing amount of their time, in fact over 40% of their time, on gathering data and preparing reports around security, I fear this pressure is only going to get worse on already stretched staff. Something needs to change in the way cybersecurity is governed, measured and reported to remove this time burden throughout every layer of an organization.

And if you’re not in the US, or not listed in the US, consider how many regulatory bodies around the world tend to be influenced by, if not mirror, NIST. The trend for more cyber governance disclosure is real, and global, and – if not appropriately managed – may lead to yet more reporting demands on staff from operations, management and leadership.

Relying on manual reporting simply will not suffice as the cost is too great: can you afford to increase the 40%+ burden on security teams of reporting? Time is better spent acting with precision, with time to consider strategic improvements, and that time can be made by automating your data gathering, compliance, reporting, policy measurement, SLA adherence and more.

Is it time to talk to Panaseer about how we can help you automate your cybersecurity controls data gathering, analytics and insights?