Cybersecurity is firmly on the critical path for digital enterprises, with board-level accountability. As reflected in the CGI Client Global Insights, there is a strong link between digital transformation and protecting the organization, as greater use of digital technology in critical value chains opens up new cyber risks.
Effective cybersecurity standards are a crucial means by which an enterprise can protect itself while ensuring security strategies and policies are implemented in a consistent and measurable manner. Standards can be simple to create and adopt, but diverse stakeholder involvement will help ensure they are viable and achieve the desired outcomes.
In this first of a three-part blog series, I explore the role of cybersecurity standards in the larger IT governance context. My future blogs will share best practices for establishing an effective standards framework and then managing and measuring standards compliance.
The need for a holistic approach
Cybersecurity standards are a key step in the IT governance process as a means for managing and containing risk to acceptable levels. To be truly effective, standards must be wholly consistent with IT governance instruments and closely aligned with enterprise cybersecurity policies, as depicted in the diagram below. The standards also must cross reference the enterprise’s external regulatory obligations and controls, such as financial or privacy regulations.
Cybersecurity Standards in the IT Governance Hierarchy
Adequate security standards and governance of information assets can no longer be achieved on an ad hoc basis, nor addressed by technology alone. Too often, we see enterprises implementing technical security safeguards, but failing to implement proper security policies or procedures. As a result, weak practices persist in undermining security and exposing assets to significant risk. (Read more on this topic in our whitepaper, IT Security Governance – A holistic approach.)
A holistic approach to risk management and governance is required throughout the enterprise, with the key values of visibility, accountability and responsibility exercised at all levels. Throughout all steps of the IT governance process, direct traceability is required to ensure effective management, audit and compliance.
In my next blog, I’ll share best practices for establishing a cybersecurity standards framework in your organization and provide some tips for communicating standards in a clear and relevant way. Meanwhile, I invite you do download our white paper: Understanding Cybersecurity Standards.