Level 3 of cybersecurity: governance

The accelerating rate of digital transformation plays a major role in cybersecurity. Cyberattacks are multiplying and becoming more sophisticated as our daily activities become increasingly dependent on technology. In our last article, “How mature is your cybersecurity?: Understanding the 3 levels,” we try to demystify the topic and underline the importance of working with partners in our current context. In the article, we discussed how today’s businesses are inundated with cybersecurity tools, and as a result, a lot of alerts. How can companies take action and manage the growing number of cyberattacks? Today we’ll be discussing the third level of cyber protection: governance. Among its many advantages, governance allows you to develop and maintain how proactive you are and establish an appropriate cybersecurity risk level.  

Level 3: Governance: To get and stay proactive  

What is IT governance?  

Governance is a process that oversees the other levels of cybersecurity (basic and advanced security) and needs to be strategically aligned with the company’s business objectives. However, a study has shown that, “77% of spending is focused on defensive information security and compliance rather than proactive measures and opportunities to support transformative growth.” Companies would fare better if they invested more in solutions that include more than just the technical aspects.  

Governance refers to the idea of integrating cybersecurity into every initiative and change. It is largely an executive responsibility and is a part of corporate governance that involves developing a management approach for risk and policies, which needs to be clearly communicated. Stakeholders should be assigned roles and responsibilities and companies should designate an authority for audits and internal reviews. Without customized governance and risk management, security solutions only provide a false sense of security.  

How do I know if my company has strong enough cybersecurity?  

There are different assessment tools that can demystify cybersecurity and support you in your transformation projects. The different framework types let companies evaluate their current cybersecurity situation to identify areas for improvement. This is an important analysis and helps organizations reposition themselves to better respond to various threats.  

Is the cybersecurity assessment enough for my company to be well protected? In reality, simply having cybersecurity tools is insufficient. You not only need to build your cybersecurity environment, but you need to ensure your tools, policies and processes are used wisely. Managing an organization’s security in this way is what is meant by governance, a role usually under the responsibility of a Chief Information Security Officer (CISO). This role is generally performed by your IT officers and can be complex to manage without proper expertise. The CISO’s tasks include anticipating, assessing and managing new and emerging threats. The CISO must absolutely work together with the other departments to ensure their IT security objectives are aligned with all others within the organization (e.g. acquisition processes, with partners, in your risk management).  

Managing your own cybersecurity vs. outsourcing  

It’s important to note that when facing such a complex and constantly changing issue, an annual assessment is not enough; you need to conduct regular assessments. However, a full-time employee (like a CISO) may be costly and difficult to find in the current labour shortage. This is why the demand for hiring a CISO-as-a-service (CISOaaS) has significantly grown. CISOaaS involves delegating the IT security responsibilities to a third-party service provider. This option allows small- and medium-sized businesses to use cybersecurity services as needed without having to hire a full-time employee.  

What is the reality of IT governance?  

The reality is that companies have a number of options to consider for their IT governance. As mentioned previously, you can have a full- or part-time CISO or use external services. The important thing is to have ongoing access to the right resource who has the necessary expertise and an understanding of your organization, your challenges, your limitations, etc. And why is ongoing access to this resource so important?  

1.Because security, from the moment of implementation, is an ongoing process as well In addition to having someone who can assess and mitigate risks on a regular basis, this expertise helps ensure that security is a part of your every day and integrated into each of your activities from the start.  

2.Customized policies Working with the right resource helps you manage incidents at the right responsibility level. In other words, it makes it possible to have an incident management policy that is not restricted to major incidents and promotes the ability of the appropriate resources to take responsibility.  

3.Your partners’ trust Having a resource, whether internal or external, who closely oversees your cybersecurity and ensures a fair distribution of efforts reinforces the feeling of security for your business partners (clients, service providers, etc.). It provides added value to your partners.  

4.Manage contracts and protect partners Having a CISO also creates trust when assessing partners’ cybersecurity and establishing contractual stipulations. For example, while your partners have access to your data and applications through services in secure environments (e.g. cloud, SaaS), they are not always safe from their own cyberattacks. You therefore need to establish rules, which in this case would require that partners inform you in the case of an attack.  

5.Responsibility management Having an ongoing resource also lets you determine roles and responsibilities in the event of a cyberattack.  

Despite all the efforts already in place, your company will need to constantly adapt since cyberattacks happen to every organization. This is why it is essential to establish appropriate governance to take a proactive approach to cyberattacks. This also helps provide a clear view of what’s happening in the world and the measures to implement depending on your obligations, industry and capacities.  

Now that you better understand the different levels of cybersecurity, there is another issue to consider: how far can you take your cybersecurity without undermining user-friendliness? The more sophisticated the security systems, the more steps and processes are involved. It’s important to agree as an organization on what is most important and strike a balance between introducing cybersecurity measures and minimizing impacts on the operations of the company and of stakeholders. When considering these issues, it is increasingly important to opt for a technical and strategic level of support and a partner who can guide you and assist with the transition and changes you may face on your journey to improve your cybersecurity.  

Discover how Talsom’s expertise can protect your organization through its digital transformation from start to finish.  

Learn more about Talsom.

How mature is your cybersecurity: Understanding the 3 levels

In our hyperconnected world, as every sector of society is becoming digitalized and increasingly technology-dependent, cyberattacks are also multiplying and becoming more complex, which has led to a spike in spending. According to the Canadian Centre for Cyber Security, approximately 38.5 billion devices will be connected to the Internet by 2025, and cyberattacks will occur every 39 seconds. The global information security market is expected to be worth nearly US$175 billion by 2024. On top of all that, the COVID-19 pandemic has led to a significant surge in cyberattacks. The shift to remote work has made companies more vulnerable and subsequently forced them to tighten their security measures.  

Given today’s breakneck pace of digital transformation, it’s important now more than ever to consider how cybersecurity should be integrated into transformation projects at every level. Cybersecurity goes well beyond antivirus software. It means having the right skills to protect your assets and minimize risk.  

Though you might be familiar with the concept of cybersecurity, it can still be hard to fully grasp. That’s why we’ve enlisted Frédéric Claudinon, an IT Strategy and Management Consultant, to break down everything we need to know about cybersecurity, including what it entails today and the importance of choosing good security partners. Strategic partnerships support you throughout your digital transformation and enable you to maintain high levels of security without you having to make major investments in tools, additional expertise and human resources. So when reviewing your digital transformation strategy, it’s key to think about how you will manage cybersecurity and integrate partners. Even if you believe that your team is hitting their performance goals, it is always difficult to identify blind spots. Receiving support and guidance from qualified experts is the best way to ensure you’re not overlooking any aspect of your cybersecurity.  

The 3 levels of cybersecurity for your transformation projects  

Unless you have your own cybersecurity team and a high degree of organizational and technological maturity, you’re probably overwhelmed by flashing indicators everywhere: alerts, events, investigations, incidents, vulnerabilities. But where to begin? Let’s start with the basics. Cybersecurity is actually simpler than you may think. Essentially, you set up barriers, keep an eye on what’s going on and then govern everything. In order to seamlessly tackle any and all cyberchallenges, it helps to break down cybersecurity into 3 different levels: basic services (barriers), advanced services (monitoring) and governance.  

Level 1: Basic services to secure the perimeter  

To begin with, picture the foundation of cybersecurity as building a security perimeter, a.k.a., a barrier to protect all of the organization’s internal data. Most companies rely on a certain amount of basic services (firewall, proxy, antivirus, etc.) to prevent outside threats from breaching the perimeter, i.e., from accessing internal information.  

Basic security measures explained  

Nowadays, basic security solutions are no longer so straightforward. Most industries are feeling the effects of the COVID-19 pandemic, and cybersecurity is no exception. While remote work was, of course, necessary, it has also made it more challenging to keep company data secure. Hackers are exploiting the weaknesses inherent to the increased access points needed for remote work. Organizations have had to adapt and invest in strengthening their systems to get the same level of security as before. Whereas the “perimeter” once extended only around the company, it now includes remote employees. This shift has necessitated a modified approach to software management.  

Expanding these services beyond the office doesn’t stop there. All industries are currently grappling with the global labour shortage. With fewer employees at their disposal, many organizations have started outsourcing some operations. As a result, external partners must be securely integrated into the company’s ecosystem. But how do you make sure your partners’ access to the environment is secure? You have a number of options, including desktop virtualization, which is fast, easy and effective. You can solve labour shortage issues with this method by letting external partners connect to your company’s IT environment remotely.  

Level 2: Advanced services to monitor the perimeter  

Advanced solutions enable you to identify and anticipate incidents cause by the use of basic services. They include a number of detection tools that target abnormal behaviour in your network, some of which may require further investigation (e.g., many destroyed or shared files, multiple access attempts, ransomware, etc.). You can then add increasingly sophisticated detection tools that can not only spot threats, but also automatically respond to them. Other, even more advanced tools let you see and analyze what’s happening outside the perimeter (e.g., on the Dark Web), which could be important given the nature of your company. Advanced services can also deal with vulnerabilities. These tools analyze your computers and detect potential system weaknesses. However, for these tools to be effective, you have to be able to implement the appropriate solution or at least mitigate the risks. This is all the more important when your company has a significant technological debt or a high concentration of vulnerabilities.  

Advanced security measures explained  

That said, it is important to stress that this second level is not only about installing new protection and monitoring software, but also about being able to do a follow-up and maintenance, either with internal or external resources. These combined solutions, which we are referring to as advanced security, can actually be a source of added risk and danger if you get too overwhelmed by alerts without actually being able to better control them. One way to collect and centralize incident alerts is through SIEM software. However, just because all the data on antivirus, logs, firewalls and other systems is in one place does not mean that you’ll have fewer alerts. …And that’s not all. As viruses become more and more sophisticated, software must adapt too. Antivirus alone is not enough. Some companies are adopting more intelligent emerging solutions, like Endpoint detection and response (EDR), which monitors network events and stores the information in a centralized database.  

Once again, the problem is the number of alerts that companies have to contend with. Employees are exhausted by the sheer amount of information to keep track of. This “alert fatigue” can desensitize them to the threat of cyberattacks. So, how can companies cope with the ever-increasing number of alerts? Again, outsourcing may be the solution. For advanced services, you can look into a Managed security service provider (MSSP). MSSP is an outsourced solution that provides services at all times to deal with incidents and retain an acceptable security posture. The onslaught of advanced security alerts and increasingly complex and frequent cyberattacks require businesses to find solutions, oftentimes outside their company, in order to be as vigilant as possible.  

Level 3: Governance  

The final level of cybersecurity is governance, which entails understanding your organization’s stakeholders, their roles and responsibilities, establishing a systems management plan and maintaining the perimeter. To learn more about this 3rd level, keep an eye out for our next article on IT governance.  

Read the article on IT governance

If you have any questions about cybersecurity and how it fits into your organization’s digital transformation, contact us! We have helped many clients incorporate cybersecurity into their IT strategy and process mapping projects. By better understanding where you are, your company can figure out where it wants to go.  

Learn more about Talsom.