The sophistication and persistence of cyber-attacks are driven by the attractiveness of an organization’s role and assets. Often they are conducted by highly skilled international organized crime groups or foreign nation states that aim their attacks not just at government entities, but also at corporations, including those with large-scale financial and credit card assets and foreign investments, and those in the strategic resources sector.

These sophisticated threat actors seek to exploit a range of weaknesses in the target environment—weaknesses that proliferate as customers, citizens and institutions become increasingly digital. In CGI’s experience, these weaknesses or gaps are found not just in technology, but also in procedural safeguards or vulnerability management practices. The best technology in the world, if poorly applied or employed, cannot provide a sufficient defense against such threats.

Too often we see organizations implement technical security safeguards, but fail to implement proper security policies or procedures. As a result, weak practices persist that undermine security and expose assets to significant risk. The reverse is also true and may pose an even greater threat. Leaders in organizations may be confident that they have defined security policies and standards, but are unaware that, in actuality, those policies and standards have not been implemented consistently within the enterprise. In either case, this is an uncontrolled risk for which they are accountable.

Adequate security and governance of information assets no longer can be achieved on an ad hoc basis, nor addressed by technology alone. A holistic approach is needed that applies effective risk management and good governance throughout the organization, with the key values of visibility, accountability and responsibility exercised at all levels.

Based on working with clients across various industries, we’ve developed 10 measures for good IT security governance to help organizations better manage risks and achieve security resilience while they reap the benefits that will come from their digital transformation:

  1. Establish governance from the top down, from the board level through the C suite.
  2. Develop and implement a risk management approach and an overarching corporate security policy that is aligned to business requirements and processes.
  3. Establish, or incorporate into the current risk structure, an IT Security Executive Risk Review Board (ERRB) as defined in your overall risk management strategy.
  4. Appoint a corporate IT security authority, preferably with a different reporting chain than those responsible for IT operations. Clearly identify roles and responsibilities.
  5. Establish an internal audit and review authority with direct lines of communication to the ERRB.
  6. Establish and implement an audit and review compliance framework, ensuring that its goals and objectives are known throughout the organization.
  7. In conjunction with the lines of business, identify the assets and critical information and the threat and associated risk.
  8. Develop and implement a series of security controls and associated procedures, with responsibility and accountability as defined in the RACI model for risk management.
  9. Create, deploy and ensure participation in a mandatory security awareness program, so that personnel understand their responsibilities and what the risk management and security controls are intended to achieve and why.
  10. Review all elements of the program on a regular basis to make adjustments as necessary to ensure that risks are being effectively managed in a balanced manner that accommodates business needs

I invite you to read more on this topic in our white paper on IT Security Governance.

About this author

Burns MacDonald

Burns MacDonald

Director, Consulting Services, CGI

Burns has more than 30 years of experience in IT and security working with government and industry clients. Projects have included IT security, policy and planning, risk and threat policy analysis, command and control, technical assessment and evaluation, knowledge interfaces, and business performance considerations. He ...