Can you use Controls to Measure the Success of Governance and Cyber Security?

What Does It Mean to Be Cyber-Secure and Governed?

Last week, we introduced the idea of “coverage.”

We used the example of home security to explain that information governance and cybersecurity are not about protecting just one system; they are about securing the entire information ecosystem.

Think of it as securing your whole house, not just the front door.

This week, we will take a deeper look at coverage and ask the important question:

How do you measure a good governance and security program to ensure you are truly covered?

Like what you see? Want to see more? I invite you to chat with my team at Shinydocs.

The Five Controls To Measure Information Governance and Cyber

The controls are the tools and methods you use to manage risk and maintain compliance.

When it comes to governance and cybersecurity, success is built on a balance of these five keys:

1. Administrative Controls: The Foundation of Security: These are the policies and procedures that guide how people access and handle information. Administrative controls help make sure the right people have the right access and that everyone follows consistent practices.
   
   
2. Technical Controls: The Technological Shield: This is where your technology does the heavy lifting. However, these tools are only as strong as the policies behind them.
   
   
3. Physical Controls: Securing Your Assets in the Real World: Can someone who should not have access to your data be prevented from accessing it?
   
   
4. Detective Controls: Identifying and Responding to Incidents: These controls help you report a data breach, a failed audit, or help you find the info needed for a FOIA request. The goal is visibility and timely response.
   
   
5. Preventive Controls: Proactively Reducing Risk: These are your firewalls, encryption, and data governance practices like migrations, disposals, and clean-ups. Most organizations spend way too much time and effort here — instead... Hint: this is a job for the machines. 

Why Measuring Matters

Can you implement an effective program without carefully considering the coverage of these controls?  And if your efforts only cover a fraction of these five areas, you are not as secure or compliant as you might think.

We see too many companies getting mired in the question, “What technology are we using?”

Consider a higher level - how do we measure the tools and methods we have for effective preventive, detective, administrative, technical, and physical controls in place?

The shift is to measure and focus on what actions you are taking to lower risk and minimize cost, not just what software you have.

How to Implement These Controls Effectively

Next week, we will look at how to implement these controls effectively...

Spoiler alert: We’ll be talking about change management, cost constraints, continuity for user experience, and more.