Blog Post Content

By Joe Peters
Senior Editor, MindEdge Learning

It appears as though “governance” has become the new “logistics.” To paraphrase Admiral King’s statement about the latter: we might not know what it is, but it seems to be something we all wish we had more of these days.

Starting a few years ago, “ESG”—Environmental, Social, Governance—became the new buzz-phrase in sustainability. Today, “AI governance” is the hot topic in technology. Indeed, governance—the process by which organizations make and enforce rules and decisions—is all the rage these days. Increasingly, we see “governance” pop up in job titles and descriptions, and professional development courses and credential programs have responded in kind to meet these needs.

But for those of us in cybersecurity, this emphasis is old news. For decades, the industry has championed a focus on the rules and processes by which organizations run themselves, often marrying governance with risk and compliance to form the triumvirate acronym of GRC.

There is a natural affinity between technologists and governance. The digital world is built upon order and routines. Security, like corporate responsibility, is not an after-market product—it is something that has to be baked into the people and processes of an organization. Whether you are trying to secure data, minimize your environmental impact, or prevent SkyNet from ending civilization, these things tend to hinge not on the big-picture mission, but on the detailed execution of that mission.

Therein, perhaps, lies an answer to the question begged by Admiral King’s observation. The issue isn’t the “what” of governance, it is the “how.” For example, according to Statista, data breaches in the US have roughly quadrupled in the past decade, but that hasn’t been due to a lack of publicity, regulation, or even strategic objective. It’s been due to a lack of proper execution.

Nobody wants to get hacked, but if desire alone paved the way to success, every six-year-old kicking a ball would grow up to be a World Cup champion. Corporate governance is no different—and yes, that statement presumes that board members and CEOs often aren’t far removed from six-year-olds.

Good governance is a blend of people and processes. Great people can make up for a lot of shortcomings in terms of process, but if you look at the most variable element of any organization, it is the employees. For example, in 2022 the Bureau of Labor Statistics reported that, on average, employees stay at a company for just 4.1 years. That figure is slightly less than it was a decade ago, but still higher than in the 1990s, when it hovered around 3.5 years. Given these figures, the odds are that the wireless access points at a company have more tenure than an average employee, and the break-room printer will outlast most of senior management.

These realities point in what many stakeholders may see as a less-than-desirable direction: the need to lay down some sort of rules. Good governance, however, delegates rather than dictates. In cybersecurity, practitioners have long held to a federated approach: the board sets a strategy through policy, and management then takes over, engaging employees to write their own procedures to comply with that policy.

This approach keeps things simple and direct at a high level. The board can focus on the big picture—“let’s not get hacked”—and then, as that mission propagates downward, it gains in detail and granularity, as authored by the people who are most directly affected. But as simple as this approach sounds, it takes a lot of work, trust, and even error to get it right.

Words like “policy” and “procedures” may sound pedantic, if not downright nefarious, to many in the workplace. But consider the traffic light. It is a very simple procedural control, but it facilitates smooth and safe travel at a level that could not be achieved if every motorist and pedestrian were left with the noble-sounding guidance to “do what you think is right.”

Ultimately, good governance produces that alchemy where the whole really does become greater than the sum of its parts. But we should also ponder why so many people have gotten so interested in governance these days.

It is understandable to embrace the lure of something that includes all possible contributors to the direction of a company, a charity, or even a government. Arguably, the attraction of governance as such a linchpin solution reflects the disenfranchisement of all those stakeholders. They see governance as a way to get control over something that seems out of control.

As various sectors throw their arms around governance, we have to bear in mind that systems only work if they are available and usable—another long-held tenet of cybersecurity. After all, the traffic lights managing that busy intersection are a failure if the person standing on the corner doesn’t know how to, or can’t, press the “Walk” button.

For a complete listing of MindEdge’s course offerings on cyber security and CISSP®, click here.

Copyright © 2024 MindEdge, Inc.