Information Technology and Information Security Governance

The CIS Critical Security Controls (CIS Controls) are a set of prioritized, prescriptive actions for defenders to protect against the most common and important real-world cyber attacks. The CIS Controls are essential to cyber hygiene, and this foundational level includes information security (IS) governance. Within this prioritized list of best practice recommendations are 26 Safeguards that specifically support the Governance security function. Governance links business risks with technology controls to demonstrate the value that effective guidance brings to the maturity of any cybersecurity program.

Governance is at the core of all controls regulations, frameworks, and guidelines, even when they’re not specifically touted as such. For instance, Controls v8.1 aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) security function categories, which recently emphasized Governance in the CSF 2.0 release. It also helps answer the question: Why do we implement a specific Safeguard? There are many reasons we do, but most often it comes back to an enterprise’s desire to establish an information security program to protect its business. This information security program — and the choice to implement it down to the finer details — is governance.

For years, the Center for Internet Security^® (CIS^®) has been asked why there isn’t a governance Safeguard in the Controls. The answer is that governance guidance and decisions are what bring an enterprise to use the Controls. A security program is created and put in place to protect the business — to specifically protect from cyber threats and to meet compliance requirements. Just as ransomware can prevent the business from making money, not being compliant might prevent the business from participating in some markets or business actions (such as accepting credit cards).

Governance is not static; it will evolve and expand with the business based on new business risks and technical capabilities. Governance is a journey and not a destination, whereas compliance is a destination. And we’ve seen for years that enterprises which are “compliant” though not “secure” can be compromised.

Download our paper to take a journey through governance from a leadership perspective — how it applies to the Controls, how your enterprise determines the value and current governance you already have, and what you should consider creating or how you can mature your existing governance program.