Abstract
This chapter addresses the escalating cybersecurity challenges faced by organizations, such as those in the transportation and banking industries. It highlights the disconnect between senior leaders and frontline workers, hindering effective cybersecurity governance. Recognizing the critical role of cyber-governance, it introduces a cybersecurity governance framework (CSGF) designed to assess and enhance information security (IS) governance maturity. The proposed framework encompasses cybersecurity strategy, technical asset management, information services, vulnerability and risk management, and compliance control. Through case studies and practical examples, the chapter emphasizes the need for proactive cybersecurity governance, integrating advanced technologies, risk management practices, and organizational culture to foster resilience in the face of evolving threats.
TopIntroduction
Companies and large organizations today are organized in a complex hierarchy, ranging from the Board of Directors down to the front-line managers and workers (Maleh, Y., Sahid, A., & Belaissaoui, 2019). Despite the best intentions of senior leaders, organizations often experience a disconnection between upper management and frontline workers, leading to decision-making based solely on local information. This disjointed approach can undermine the organization's overall strategic objectives. When field workers cannot repair systems compromised by cyber-attacks or execute correct commands, it is not due to unwillingness but rather an inability to do so. Adapting workers to their immediate environment partially decouples local rationality from the organization's overarching cyber-rationality (Yassine, Maleh; Abdelkebir, Sahid; Abdellah, 2017).
Cyber-governance is an important subject not only for CIOs but also for corporate executive governance as WH imposed the importance of cyber resilience (Hausken, 2020). Nevertheless, the consensus on the notion of cyber-governance and its implications has not yet been established.
Cybersecurity is no longer regarded as simple protection for organizations' information since the physical world merges with the digital world (Ula et al., 2011). It has developed into a critical issue for countries as well as organizations. The world has been seriously threatened by serious catastrophic incidents in cyberspace that can indiscriminately cause immense damage to core functions derived from information or communication technology that are heavily dependent upon cyberspace. The economic and technological advantages of the digital economy are evident; however, strategic dependency on cyberspace in the global economy is a double-edged sword. The Gartner CIO Agenda 2018 research reported that 95% of all security breaches are due to human error (C, 2017). Every organization consists of a cyberculture driven by shared values and ethical behavior. The degree to which each human member of cyber-culture is authorized or incentivized to have access to all the information that is necessary to strategize about the operation of the entire systems.
Unfortunately, the cyber governance framework does not specify the implementation structure for this plan, despite its intended use of guiding enterprises in their IS security governance strategy. International standards (such as the ISO 27000 series and ISO 15408) and practice repositories (such as NIST, ISACA, and RiskIT) (Mataracioglu, T., & Ozkan, 2011) have begun to incorporate sections on security governance in response to these issues. It wasn't until the early 2000s that scholarly publications began publishing studies and articles mentioning information security governance. The suggested standards and guidelines for IT security governance are proposed to assist businesses. It fails to specify how the organization's involvement in IS security governance may be measured or implemented.
Considering the organization's current degree of maturity and its specific needs and resources, this article presents a realistic approach to evaluating and improving IS security governance. Below is the outline of the article. The theoretical framework is presented in Section 2. Information security governance with a focus on maturity (CSGF) is outlined in Section 3. In Section 4, we'll look at a real-world application of CSGF and the outcomes of its implementation. The last element of this book is the conclusion.
Key Terms in this Chapter
Compliance Control: Ensuring that an organization adheres to relevant laws, regulations, and standards related to information security.
Cyber-Governance: The framework and practices that guide the secure and efficient management of an organization’s digital assets and information systems.
Resilient Organizations: Organizations that can maintain operational functionality and quickly recover from disruptions, including cyber-attacks.
Maturity Assessment: A process that evaluates the effectiveness and development stage of an organization’s information security governance practices.
Vulnerability and Risk Management: The identification, assessment, and mitigation of risks and vulnerabilities within an organization’s information systems.
Proactive Cybersecurity Governance: An approach that anticipates and mitigates cyber threats through continuous improvement and integration of advanced technologies and practices.
Cybersecurity Governance Framework (CSGF): A comprehensive structure designed to assess and enhance the maturity of an organization’s information security governance.
Technical Asset Management: The oversight and control of hardware and software resources to ensure their security and efficiency.
Information Security (IS) Governance: The strategies, policies, and procedures implemented to protect information assets and ensure their confidentiality, integrity, and availability.
Cybersecurity Strategy: A plan that outlines how an organization will protect its digital assets and respond to cyber threats.