IT Governance May not be Sexy or Exciting, but Makes IT Easier Overall

How IT Governance Enhances Cybersecurity

IT governance plays a crucial role in strengthening cybersecurity within organizations by ensuring that cybersecurity strategies are aligned with overall business objectives and risk appetites. This alignment is essential for effectively managing cybersecurity risks and ensuring that security measures support the organization’s goals.   (this IT governance explanation comes from a few places including LinkedIn post by Oladipupo Adeosun

How is that possible? Because if the board or executives in a smaller company drive the company needs with their business objectives right?  If a business has objectives like fulfilling sales and services for customers then  it stands to reason that a level of technologies are needed to complete sales and services.

This is why the board and executives need to clearly delineate their goals. then once those goals are set:

 

1. Alignment with Business Objectives:

Effective IT governance ensures that cybersecurity strategies are closely aligned with the overall business objectives and risk appetite of the organization. This alignment ensures that cybersecurity measures are not only technically effective but also contribute to the achievement of business goals.

As IFS blog says:

Why IT governance is important

Almost every aspect of a business relies on IT in one way or another, so IT activities are impossible to ignore or leave unchecked. And the fact that it falls under overall corporate governance further means organizations shouldn’t take IT governance lightly. Here’s a quick summary of five reasons why.

Ensures regulatory compliance

As mentioned previously, organizations must follow set standards to promote transparency, fairness, and accountability in their business. Not keeping an eye on your IT activities can easily land a company in hot waters. Having an IT governance process in place means that you can maintain good practices within the organization and are in compliance with key regulations.

What could encapsulate Governance succinctly?  How about this from OCEG?

What is GRC (Governance, Risk, and Compliance)?

GRC stands for Governance, Risk, and Compliance and is a concept that was originated by the Open Compliance and Ethics Group (OCEG) in 2002.

GRC is the integrated collection of capabilities that enable an organization to achieve Principled Performance – the ability to reliably achieve objectives, address uncertainty, and act with integrity.

What are all the different possible GRC methods to use for a company?

Besides OCEG.org itself of course (since they initially coined the term and have a framework as well at their site)

• COSO (Committee of Sponsoring Organizations of the Treadway Commission): This framework emphasizes internal controls and risk management. It provides a comprehensive approach to governance and risk management, helping organizations achieve their objectives while managing risks effectively:
  • The COSO IC Certificate is geared toward audit leaders, team members, and consultants  who provide advisory services related to internal controls looking to establish a COSO-based audit organization.
    
• ISO 31000: This international standard provides guidelines for risk management applicable to any organization. It focuses on integrating risk management into the organization’s governance structure and decision-making processes, promoting a proactive approach to managing risks.
  • In addition to addressing operational continuity, ISO 31000 provides a level of reassurance in terms of economic resilience, professional reputation and environmental and safety outcomes. In a world of uncertainty, ISO 31000 is tailor-made for any organization seeking clear guidance on risk management.
    
• COBIT (Control Objectives for Information and Related Technologies): Developed by ISACA, COBIT is a framework for developing, implementing, monitoring, and improving IT governance and management practices. It aligns IT goals with business objectives and emphasizes risk management and compliance
  • ISACA COBIT  – Seven tips for implementing COBIT pdf file.
• NIST Cybersecurity Framework(CSF): While primarily focused on cybersecurity, this framework provides a structured approach to managing cybersecurity risks. It includes governance aspects by promoting the integration of cybersecurity into the organization’s overall risk management strategy
  • The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government
    agencies, and other organizations to manage cybersecurity risks. It offers a taxonomy of high-
    level cybersecurity outcomes that can be used by any organization — regardless of its size,
    sector, or maturity — to better understand, assess, prioritize, and communicate its
    cybersecurity efforts. The CSF does not prescribe how outcomes should be achieved. Rather, it
    links to online resources that provide additional guidance on practices and controls that could
    be used to achieve those outcomes.
• Risk Management Framework (RMF): Developed by NIST, this framework provides a structured process for integrating security and risk management activities into the system development life cycle. It emphasizes continuous monitoring and improvement, aligning closely with GRC principles.
  • The Risk Management Framework (RMF) provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. Managing organizational risk is paramount to effective information security and privacy programs; the RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector.
• ITIL (Information Technology Infrastructure Library): Although primarily a service management framework, ITIL incorporates governance and risk management principles, particularly in its service design and continual service improvement stages.
  • ITIL was originally created by the CCTA under the auspices of the British government, and ITIL is a registered trademark of the UK Government’s Office of Government Commerce (usually known as the OGC).

 

As you can see the 7 frameworks mentioned above:

1. OCEG.org
2. COSO framework
3. ISO 31000
4. COBIT
5. NIST CSF
6. NIST RMF
7. ITIL

Why would one use any of the above frameworks to manage their information technology and ultimately their business? Besides a legacy reason (because we did it 10 years ago)… it likely has to do with government involvement (i.e. if a US defense company likely must use a NIST framework (maybe even both).

Or if in the UK then ITIL is the framework to use.

But COBIT, GRC , COSO or ISO 31000 likely has to do with the corporate beginning and whether the personnel were already well versed in ISACA’s COBIT for example. (for instance I have a CISA certificate which makes learning COBIT an easy extension.

What if I asked my favorite AI program:

• Comprehensive Approach: The framework emphasizes integrating risk management into an organization’s overall governance, strategy, and planning. It aims to create a risk-aware culture and enhance organizational resilience and agility
• Broad Audience: ISO 31000 is written for a broad audience, making it accessible to various stakeholders interested in enterprise risk management (ERM).
• Flexibility in Implementation: Implementing ISO 31000 involves adhering to its principles and creating a risk management strategy from scratch, allowing for broad applicability across different types of organizations and industries

COSO Framework

The COSO framework is primarily focused on internal control and enterprise risk management, emphasizing financial reporting and fraud prevention.

1. Internal Control Focus: COSO is structured around five core principles: control environment, risk assessment, control activities, information and communication, and monitoring activities. It is particularly strong in areas related to financial reporting and fraud prevention
2. Holistic Risk Management: COSO takes a holistic view of risk management, integrating it with an organization’s strategy and objectives. This makes it suitable for organizations seeking to embed risk considerations into their core operations
3. Detailed and Prescriptive: The framework provides a more defined, structured process that involves detailed components and inherent risk assessment as integral steps of the approach

   OCEG.org’s GRC

   OCEG.org provides the GRC Capability Model, which integrates principles from various frameworks and standards to offer a comprehensive approach to governance, risk management, and compliance.

   1. Integrated Approach: The GRC Capability Model integrates principles from multiple frameworks, providing a cohesive approach to governance, risk management, and compliance
   2. Decision-Making Focus: The model emphasizes enabling informed decision-making to help organizations achieve their objectives

   .

   COBIT Framework

   COBIT is specifically engineered for IT governance and management, bridging the gaps between control requirements, technical challenges, and business risks.

   1. IT Governance Focus: COBIT is designed to help organizations ensure effective and efficient use of IT resources while managing IT-related risks. It aligns IT operations with corporate governance
   2. Targeted Audience: COSO’s framework is more targeted towards accounting and auditing professionals, making it particularly relevant for organizations with significant financial reporting requirements
   3. Detailed IT Guidance: COBIT provides detailed guidance on IT security and outlines how to build an IT landscape that prevents fraud
   4. Complementary Use: COBIT can be used in tandem with other frameworks like COSO to provide comprehensive coverage for IT governance and internal controls.

   NIST Framework

   ..The NIST Cybersecurity Framework focuses on cybersecurity and risk management, providing a structured approach to managing cybersecurity risks.

   1. Cybersecurity Focus: NIST is primarily focused on information security risk management, making it widely used in government agencies and organizations handling sensitive information
   2. Structured and Quantitative: The framework offers structured and quantitative approaches for managing information security risks

Conclusion

Choosing between ISO 31000 and other frameworks like COSO, OCEG.org’s GRC, COBIT, or NIST depends on the specific needs and context of the organization. ISO 31000 offers a flexible, universally applicable approach suitable for a wide range of sectors and risk environments. In contrast, COSO provides a more structured and detailed process, particularly strong in financial reporting and fraud prevention. OCEG.org’s GRC integrates multiple principles for a comprehensive approach, while COBIT focuses on IT governance, and NIST specializes in cybersecurity risk management. Organizations may also consider combining elements from multiple frameworks to develop a robust and tailored risk management strategy

. By understanding the strengths and focuses of each framework, organizations can select the most appropriate one or integrate elements from several to effectively manage their risks and achieve their objectives.

 

As is typical when comparing such large frameworks one can see that the decision is not an easy one and likely would be swayed for personal reasons (I understand X framework more than Y framework). But NIST frameworks would have to be used if in the defense or other US government related market.  COSO seems to be focused on financial controls, and ISO 31000 may create a good supply chain connection.

A follow up question creates this answer:

ISO 31000 for Supply Chain Companies

1. Comprehensive and Flexible Framework: ISO 31000 is an international standard that provides a comprehensive framework for risk management, applicable to any organization regardless of size, type, or sector
2. This flexibility makes it suitable for supply chain companies that deal with diverse and dynamic risks.

 

I was reviewing these items and it dawned on me I wonder if there is a framework built for small business?

So i asked the question to my fav AI?

Best Cybersecurity Framework for Small Businesses

For small businesses with fewer than 50 employees and multiple locations, selecting an appropriate cybersecurity framework is crucial for protecting sensitive data and maintaining operational integrity. Here are some recommended frameworks that are particularly well-suited for such environments:

1. NIST Cybersecurity Framework (CSF)
The NIST Cybersecurity Framework is widely regarded as one of the best options for small businesses. It provides a flexible and cost-effective approach to managing cybersecurity risks. The framework is structured around five core functions: Identify, Protect, Detect, Respond, and Recover. This structure helps businesses assess their current cybersecurity posture and implement necessary improvements

2. CIS Controls
The Center for Internet Security (CIS) Controls is another excellent framework for small businesses. It consists of a set of best practices designed to mitigate the most common cyber threats. The CIS Controls are straightforward and can be implemented incrementally, making them accessible for businesses with limited resources.

3. ISO/IEC 27001
While more comprehensive and potentially resource-intensive, ISO/IEC 27001 is a globally recognized standard for information security management systems (ISMS). It can be beneficial for small businesses looking to establish a formalized approach to managing sensitive information and ensuring compliance with various regulations.

Key Considerations

• Scalability: Choose a framework that can grow with your business. The NIST CSF and CIS Controls are particularly scalable.
• Resource Availability: Consider the resources (time, personnel, budget) available for implementing cybersecurity measures. Frameworks like CIS Controls are designed to be practical for smaller teams.
• Compliance Needs: If your business operates in a regulated industry, ensure that the chosen framework aligns with compliance requirements.

By adopting one of these frameworks, small businesses can significantly enhance their cybersecurity posture, reduce risks, and protect their assets effectively.

 

It is interesting that for a small business that may want to scale a combination of NIST CSF and CIS controls may be wisest or at least perform a review.

 

Contact me to help you conduct a review.