Maturity of organisational security governance

Abstract

Existing research has shown that due to the increasing digitalization and the adoption of digital technologies and complex (big) data solutions, along with higher firm-level productivity, comes a growing and more dynamic threat environment. Organisations rely on data and digital environments. These environments enlarge the potential attack surface, as every end-point device or network node is a potential entry for malicious actors. The (un)intentional insider threat is also increasingly important for the protection of Intellectual property (IP) and business assets. Not only the attack surface has grown over the years, but also the consequences of security breaches have become more severe. Loss of confidentiality, integrity and availability can heavily disrupt working practices or even threaten the continuity of organisations.

The stakes for organisational security have therefore never been higher. Current trends in coping with this new threat landscape are, among others, to increase oversight and ensure strict regulations, both via internal policy and external regulators. Extant literature also emphasises an increase in security spending, as well as technical measures to protect business assets. This paper proposes a framework for determining the maturity of security governance within organisations. Security governance is concerned with the alignment of business goals on the one hand and security goals on the other hand, i.e. working productively and working securely. Good governance would mean that both business- and security goals can be reached without conflicting interests; preferably even by complementing one another. The research argues that security governance consists of more than merely technical measures and punitive oversight. It also parts from existing views about how more security (spending, measures, policies, etc,) is better and how security is predominantly addressed in isolation. Instead, security governance should be in alignment with ’the business’ of an organisation. This brings forward the notion of security governance, as the alignment between security policies and business goals.

Literature has found that these two concepts can often be conflicting, as more security in most cases impacts productivity. Therefore, the concept of maturity is coupled with the research. Maturity emphasises the alignment between security goals and business goals. The research adopts both a conventional view of maturity, as well as a social view of maturity. The conventional view focuses on the effectiveness of security governance. A higher level of maturity indicates improving one or both of the pillars of governance, i.e. the contribution to business goals and security goals. This could mean working more productively/efficiently given certain security policies. Or - the other way around - working more securely whilst also doing projects efficiently. The social view focuses specifically on the way alignment between the two pillars of security governance is reached. It acknowledges that not all perceived governance problems in organisations have a single solution that can be imposed top-down. Instead, employees in organisations have to cope with different challenges and perceive issues related to security governance differently. The social view on maturity therefore argues that dialogue is required between a representative stakeholder group, with different viewpoints and expertise, whereby policies are drafted in concordance.

By means of a case study at Damen Naval - a large Naval shipbuilding organisation relying heavily on IP and bound by strict regulations - input was gathered regarding security governance in three individual security fields: ’access control’, ’data classification, and ’monitoring & incident response. Incorporating results from a literature review, individual interviews and
a focus group session, a framework was built with both a conventional assessment of security governance and a social aspect of how the alignment of policies (security- and business-related) can best be reached. The foundation of the framework consists of six dimensions of security governance:
1. Organisation-wide security and responsibility/accountability
2. Risk-based approach
3. Direction of acquisition and commitment of resources
4. Conformance with internal and external requirements
5. Security positive/conscious culture
6. Security performance measurement/alignment

These dimensions were used to guide and structure the individual interviews and led to a list of performance indicators. Each indicator steers on improving security (in terms of policy-setting) and/or productivity (in terms of contribution to business goals). The research showed that although the security fields were different from each other, most indicators could be applied to all the security fields, showing that the indicators are generalisable to an organisation-wide level. The indicators led to practical recommendations for security governance at Damen Naval. The most important takeaways are to better empower engineers in making decisions on data classification, as currently engineers feel uncomfortable in doing this due to the negative consequences of ’under classifying’, which leads to information being classified higher rather than lower. Also, performance expectations should be clear for employees and additional hours spent on dealing with security measures should not be absorbed by engineers. In line with this, more effort should be put into quantifying the total costs of imposed security measures, both direct and indirect. This will make current security policies better explainable or address issues that need to be improved.

The final stage of the research aimed at reaching concordance on security governance. This was researched via a focus group session in which the metaphor of a doctor-patient relationship about a negotiated treatment plan was used to see whether and to what extent this relationship would be possible in an organisation such as Damen Naval. Despite the fact that such a relationship is hard to pursue in a large organisation with multiple stakeholders as well as being limited in autonomy due to external legislators, the results indicate that concordance would be possible, although on different levels inter- and intra-organisational. Intraorganisational, this research suggests composing an organisational structure wherein employees of the business, ICT and security are represented to discuss matters that are related to security. The focus group session itself proved that this contributed to reaching alignment. Inter organisational, dialogue with external regulators should be pursued. Using the framework for security governance and the security performance indicators, potential misalignment can be determined systematically and a more comprehensive discussion can take place. Finally, future research could focus on improving the framework to enable a Capability Maturity Model (CMM) approach and to conduct a similar case study with the inclusion of an external regulator.