Why IT Governance and Mitigating Risk is a Critical Part of Cyber Defense

Organizations must recognize how every solution they implement works together and as part of their larger defense-in-depth strategy.

By Vincent Tran, CISSP, Co-Founder and Chief Operating Officer, Liongard

So much of the discussion around cyber security focuses on the need to bolster defensive systems and procedures, but these discussions are missing the most basic components of a security posture: IT governance and mitigating risk.

The continuous proliferation of systems and configurations, along with threats facing businesses, are real and ever-growing, and organizations have endless options they can consider as they build out their security posture.

Organizations must recognize how every solution they implement works together and as part of their larger defense-in-depth strategy. More importantly, they need to have visibility “left of boom,” looking further upstream of the event and ensuring that the governance and change detections to system configurations are in place to allow the security tools to mitigate risks downstream.

A well-designed and carefully managed cybersecurity program can help protect against and mitigate a wide range of threats while ensuring critical business operations remain secure and uninterrupted. By establishing a solid foundation of asset and user inventory paired with visibility into changes, policies and procedures, organizations can ensure that their investments and cybersecurity strategy is comprehensive and effective.

IT Governance is the glue

To effectively safeguard against cyber threats and mitigate risks, it is crucial to have a solid IT governance strategy in place that incorporates Configuration Change Detection and Response (CCDR). As the Center for Internet Security (CIS) recommends in controls 1, 2, and 5, this requires establishing an inventory of assets, software, and user accounts, respectively. This is then maintained by continuously detecting and documenting changes from the prior state. Only then, can proper response and remediation processes be effective.

Governance requires circling back to assess that the security configurations have not drifted or have been misconfigured, and team members continue to follow the protocols, procedures, and processes over time. This tenet is the focus of the US NIST 800-128 guide, which recommends a need for security-focused configuration management and configuration change detection to be adopted. This is integral to an organization’s ability to respond with proper context and recover from incidents. In some ways, foundational IT governance is as important as the security solutions themselves.

Too often, teams overlook this critical piece of the security framework. Instead, they “set it and forget it” with their defensive tools and fail to develop a clear line of sight into change and drift. They’re unable to account for new assets, software, and users that may have been added and are unprotected. That’s precisely the mindset threat actors will take advantage for their benefit, causing potentially catastrophic — and expensive — problems for companies.

Companies are forced to compromise

Security measures used to be rigid and unyielding in the past, but this outdated approach is no longer effective. Today, companies must balance security and flexibility, treating security as adaptable processes and protocols that can adjust to ever-changing circumstances.

Consider security to be an offensive line in a football game. The goal is to protect the users, remain fluid, and allow for the user to progress forward without running out of bounds or scrambling into unprotected areas.

As part of that, security teams need to allow for a certain level of flexibility, shifting more of the effort — and the burden — onto the IT governance side and develop the agility to react to change. This compromise places greater responsibility to clearly establish and maintain inventory and policies for what is and is not allowed. This way, the end-user can focus on their tasks and have what they need to be productive while being assured of a successful — and secure — outcome.

Companies need new ways to look at old problems

Businesses must adapt to the changing times and update their security measures accordingly. Those who don’t have visibility across their surface area, changes to their assets and users under management are susceptible to ever-increasing risks and may become more and more vulnerable over time.

While adopting digital transformation and innovative systems and services is essential in today’s business world, these strategies can also present new risks to organizations. To stay ahead, companies must continuously assess and tune their security processes. Often this requires examining and removing manual work that should be automated to enable continuous auditing overtime.

Teams need to select systems and automation that provide them with agility, which, in turn, would generate substantial value and return for the organization. Ensuring that continuous auditing, change management, and security assessments are in place will maximize the benefits while minimizing potential drawbacks.

Ultimately, the focus is creating a win-win situation for everyone involved, where the end users receive the best possible experience, and the organization can confidently achieve its security objectives while safely navigating the modern technology landscape.

About the Author

Vincent Tran, CISSP is the Co-Founder and Chief Operating Officer of Liongard.  He is a multi-disciplined entrepreneur with more than 25 years of experience in marketing, design, UX/UI, technical project management, developing business intelligence automation platforms and secure web applications. Before joining the Liongard team, he owned and operated multiple professional managed services organizations, representing a wide variety of agency clients. Vincent received his Bachelor of Science from the University of Texas at Austin and is a Certified Information Systems Security Professional with ISC2.

Vincent can be reached online at https://www.linkedin.com/in/vincenttran/ and at our company website https://www.liongard.com/.