GRC: Be connected!: about information security governance


The third session in the GRC: Be connected! series focuses on the context of information security through governance. The use of COBIT is strongly advocated in this!

In information security, a key role is played by the Chief Information Security Officer (CISO). Filip De Wolf, Director of Approach Belgium, paints an in-depth picture of the many and diverse skills this person has to master. So many and diverse, that finding them all in one person would be as rare as spotting a white raven. Starting from the Wikipedia definition, De Wolf describes the CISO as a senior level executive, his success dependent on the culture and governance in the company. Reporting to the CEO often results in getting things done faster! And do manage expectations.

The required skills are executive in nature (business acumen, identify the crown jewels), policy related (policies must be realistic, understandable and in line with legal), and risk management expertise. Furthermore, people management and communication soft skills are crucial. Including being stress resistant, and willing to call your CxO anytime, even at 2am if needed (and without fear of being kicked out). And even more skills (project and change management, etc. etc.). Too many skills? His advice: start an office of the CISO, bringing together these skills. And do get people – including top management – involved through tests and exercises (without actually organizing an attack on your own company, of course).

In ‘A perspective on security & risk governance’, Karine Goris, Head of Digital Security, IT Risk & DRP at Belfius, proposes a ‘four steps’ approach to define a security governance that works in your company. Every step concludes with a ‘checklist’.

It starts with the absolute necessity of ‘know your business’. Security must understand the context of the business (strategy, operations, assets) and the risks involved, including the real risk appetite (as this determines your mandate). Do keep abreast with changing business models and related attacks.

Next you outline a framework, mapping the business risks on information security principles. Express this in your company’s ‘mission, vision and values’, followed by an information security policy, and a charter. Make sure that all of this is understandable, validated by the board and visible throughout the company.

Having set the scene, the third step relates to defining the information security process. Do your risk assessment and bring everything together as input in your processing. This processing requires technology-based controls, but also people and process controls! And this processing must show itself as being effective and efficient, through output for assurance dashboards. This allows for corrective measures.

Step four provides a reflection moment, as a step-up to continuous improvement. That is, you start all over again.

The third presentation had Prof. Georges Ataya, Solvay Brussels School of Economics & Management, explaining how COBIT performs exquisitely as a ‘digital governance framework for information security activities’. As an express train, Prof. Ataya expounded in an introductory COBIT course how this ‘mother of all frameworks’ can bring value to information security. With value creation through benefits optimization, risk optimization and resources optimization. Following a general overview, he discusses how stakeholder drivers and needs cascade down to governance and management objectives (e.g. risk optimization). He ties in how the ‘plan, build, run, monitor’ approach and the seven governance components are applicable for each governance and management objective.

Furthermore, Prof. Ataya points out that introductory documents on COBIT are available for free (PDF format): ‘COBIT 2019 Framework: Governance and Management Objectives’ and ‘COBIT 2019 Framework: Introduction and Methodology’.


Deel deze nuttige inhoud met vrienden:

Volg ons op sociale netwerken:

Andere blogposts

NIS-2: Where are you?

In December 2020 the European Commission published a proposal to repeal the current NIS Directive (European Directive on Network and Information Systems) and to replace it with a new Directive: the so-called NIS-2 Directive. This post will give an update on the status of negotiations of NIS-2, and will outline the aspects we already know and don’t know about the upcoming Directive’s final form.  

SANS Experience Sharing Event

The Cyber Security Coalition and top cybersecurity trainer SANS Institute joined forces to provide specially needed insights and recommendations on successful cloud security, as well as how to handle cyber security in these times of war.

Privacy Focus Group – Practical AI Use Cases

It is easy to drown in the sea of dire warnings about the danger of AI, in particular to our privacy. The main point is that AI in good trust is possible, but requires solid, long term and well-structured approaches. This session of the Privacy focus group offers some crucial insights and welcome examples.

30 November: Computer Security Day: Ada Lovelace

On computer security day we pay tribute to Ada Lovelace, the forgotten mother of the computer. Often described as the first computer programmer — before computers were even invented — Ada was a real visionary. Imagine what she might have achieved had Babbage actually built his “computer” and she hadn’t died at the age of 36.

Deel deze nuttige inhoud met vrienden:

Volg ons op sociale netwerken: