“Good Security Governance” is not a Piece of Useless Consultant Jargon

Jean-Christophe Gaillard Jean-Christophe Gaillard
August 24, 2020 Big Data, Cloud & DevOps

It is an essential protective layer for any organisation.

Irrespective of what many of us may say or write, the cyber security agenda remains dominated by products and technology.

Of course, the problem has a technical dimension and the protection of any firm against cyber threats will require the application of technical countermeasures at a number of levels.

But there are countless tech vendors and service providers out there trying to sell their products as the silver bullet which will protect you from anything. And countless small firms still holding simplistic views on cyber threats: “We’re fine; all our data is in the cloud”

For any organisation above a certain size, effective and efficient protection can only result from the layered application of protective measures at people, process and technology level. And in that order.

It has to start with people. And that doesn’t mean rolling out a security awareness programme. Middle management has always had the tendency to jump straight into the solution space at the back of a simplistic analysis of the problem, but at the heart of the “people” aspects of any security strategy, lay issues of corporate culture and corporate governance.

“Good security governance” is not a piece of useless consultant jargon. It is an essential protective layer for any organisation.

It ensures a visible endorsement of security values from the top down, brings clarity around security roles, responsibilities and accountabilities across the whole organisation, and more importantly, it is the cornerstone that “get things done” around security through an effective and efficient layer of reporting.

Only the actual execution of security measures (i.e. the actual deployment of security processes and the technology required to support them) will protect the business. And that’s where many organisations – larger and smaller – have failed over the past decades in spite of colossal investments in cyber security: Security projects get deprioritised half way through or focus only on non-existent low hanging fruits; over time, people get demotivated and leave, nothing gets finished and half-baked “solutions” proliferate: According to a recent survey by Cisco, the average organisation now uses 20 different security technologies.

Let’s get this straight: This is plain governance failure and it has been plaguing organisations – large and small – around security for the best part of the last two decades.

To avoid those mistakes, break that spiral, and target the management and governance roadblocks which have prevented progress in the past, most organisations need to act at three levels:

First, get a good understanding of your security maturity posture to start with and set realistic timeframes around change. Change takes “the time it takes” and there may be no quick wins.

Then, be objective about the skills and resources you have to deliver change and set realistic improvement goals. Jumping straight at ineffective “virtual CISO” solutions in the hope of making the problem disappear will not help if nobody is there to execute.

Finally, stay focused. Security transformation often involves a change in mindset which needs stability to develop and takes time to set in. Changing directions or priorities every time something happens in the business or elsewhere will simply kill any transformational momentum around security.

  • Experfy Insights

    Top articles, research, podcasts, webinars and more delivered to you monthly.

  • Jean-Christophe Gaillard

    Tags
    GovernanceSecurityStrategies
    Leave a Comment
    Next Post
    6 Interesting Predictions for Artificial Intelligence for the Year 2020

    6 Interesting Predictions for Artificial Intelligence for the Year 2020

    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    More in Big Data, Cloud & DevOps
    Big Data, Cloud & DevOps
    Cognitive Load Of Being On Call: 6 Tips To Address It

    If you’ve ever been on call, you’ve probably experienced the pain of being woken up at 4 a.m., unactionable alerts, alerts going to the wrong team, and other unfortunate events. But, there’s an aspect of being on call that is less talked about, but even more ubiquitous – the cognitive load. “Cognitive load” has perhaps

    5 MINUTES READ Continue Reading »
    Big Data, Cloud & DevOps
    How To Refine 360 Customer View With Next Generation Data Matching

    Knowing your customer in the digital age Want to know more about your customers? About their demographics, personal choices, and preferable buying journey? Who do you think is the best source for such insights? You’re right. The customer. But, in a fast-paced world, it is almost impossible to extract all relevant information about a customer

    4 MINUTES READ Continue Reading »
    Big Data, Cloud & DevOps
    3 Ways Businesses Can Use Cloud Computing To The Fullest

    Cloud computing is the anytime, anywhere delivery of IT services like compute, storage, networking, and application software over the internet to end-users. The underlying physical resources, as well as processes, are masked to the end-user, who accesses only the files and apps they want. Companies (usually) pay for only the cloud computing services they use,

    7 MINUTES READ Continue Reading »

    About Us

    Incubated in Harvard Innovation Lab, Experfy specializes in pipelining and deploying the world's best AI and engineering talent at breakneck speed, with exceptional focus on quality and compliance. Enterprises and governments also leverage our award-winning SaaS platform to build their own customized future of work solutions such as talent clouds.

    Join Us At

    Contact Us

    1700 West Park Drive, Suite 190
    Westborough, MA 01581

    Email: support@experfy.com

    Toll Free: (844) EXPERFY or
    (844) 397-3739

    © 2023, Experfy Inc. All rights reserved.