Welcome back, today we're going to talk about the process of cybersecurity governance and give an overall explanation and viewpoint of what cybersecurity governance is and how it's organized. Stephen Covey has a famous quote and in it he says, "The main thing is to keep the main thing the main thing." What does that mean? In this context at the end of the day most businesses are not in the business of assessing cybersecurity risk, of evaluating threats, of evaluating vulnerabilities, and they're not in the business of selecting, implementing, or tracking controls and security countermeasures. However, these activities are critically important to whatever the main thing of the business happens to be, and thus they have to be aligned in a complementary fashion, they have to support whatever the main thing of the business is. Despite a constant stream of security breaches and lawsuits, FTC rulings and headlines, it is still the case that the market just does not inherently reward security for security sake. Every decision to spend money on security is a decision to not invest money in other areas of the business that ultimately drive the bottom line. This alignment occurs through several key processes that you'll recognize from our cybersecurity mind-map in an earlier lecture, and that includes things like risk management, configuration, identity management, access control, vulnerability and supply chain management, and incident response, disaster recovery. These are all clearly ideas that complement the main thing of the business, but if you were to spend too much time doing them or they were not closely aligned with the overall purpose and structure and main thing of the business, then we can quickly spin off into a rabbit hole that is wasting time and money and resources and not helping to drive the governance of the organization. Broadly, governance is a top-down approach to managing a business. There's various forms of governance of a business. As a result, cybersecurity governance is the top-down approach of managing security activities and ensuring that they're all aligned to the business. To recall from previous lectures, just how easy it is to fall down the numerous rabbit holes in this vast landscape of cybersecurity disciplines. Without that strategic alignment and management security programs with otherwise good intentions can easily miss the mark in terms of supporting the overall goals of an organization. Also recall that cybersecurity vulnerabilities are essentially a function of rapidly changing technology and business landscapes, and today the reality is that businesses are essentially inseparable from their IT infrastructure, from their IT solutions and architecture, and cybersecurity as a result is an inherent aspect of IT and its integration into the business. Therefore, the top-down structure of aligning IT efforts with the overall goal the business would encompass and subsume cybersecurity governance as well. They all have to be integrated and aligned with whatever the main thing of the business happens to be. A good mental model that I like to use for helping people understand this idea is the difference between precision and accuracy. Not only are there many exciting rabbit holes to explore within cybersecurity but they are very expensive and time consuming. As a result, investing time and resources into cybersecurity capabilities that are not aligned with the business can result in amazing capabilities, but they don't necessarily provide value to the business. They're very precise, like you might see on the left-hand side of the diagram here. All the efforts are very close together, so they're very consistent, very coherent, they are very precise. Doesn't necessarily mean that they are on target like the group of dots on the right here, even though it is a less precise group of dots it is overall much closer to the goal, much closer to the main thing that we're going for by trying to be on the center of the target. The goal of security governance is to drive not only the precision of time and investments, we want to be as precise as possible, but to fundamentally ensure that those efforts are as accurate as possible and aligned with the main thing of the business. This is a big domain and in some ways it is the least technical of any domain across cybersecurity. However, just to give some context to its importance, both of the premier cybersecurity management and governance certifications that exist on the market, CISSP from (ISC)_2 and CISM from ISACA, both include governance as the very first domain that you have to understand in their study guides, in their material, in their testing domains. Both of them start with this idea at the very beginning before they get into other advanced topics. In the next lecture we'll take a closer look at the frameworks that emerge from the need of cybersecurity governance and how we can start to see taking this large top-down idea and actually applying it to the business and it's operations.
