The Control Objectives for Information and related Technology (COBIT) 5.0 framework defines governance thus: “Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritization and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives.”

Governance policy ensures that policies are used, adopted, and effective. To monitor policy adoption and effectiveness, organizations should create a governance policy committee, usually made up of security teams and business-side leaders. Typically, governance is organized around a series of regularly scheduled committee meetings. A policy governance committee might meet weekly or monthly; there is no set standard. A governance committee must meet as often as needed to ensure that enterprise objectives are achieved.

Monitoring performance depends on the types of reports and information the committee is provided. If there’s a lack of adoption, you would expect to see that reflected in the type of audit findings issued. If there’s a lack of awareness, you might see that in annual awareness testing or survey scores. Ultimately, effectiveness might be measured in how many breaches have been successful or, conversely, in how many security attacks have been successfully defended against.

Regardless of the effectiveness measurements used, governance is an ongoing evaluation of stakeholder needs, conditions, and options to achieve desired policies. This means that governance sets direction through prioritization and decision making. Remember, a governance meeting is typically made up of management leaders. These leaders can act when policies are not working as designed. They can also act should new threats emerge. That’s why most implementation processes (such as in Figure 13-1) take the lessons learned from the monitoring to reassess business risk, compliance, and threat vectors. This reassessment of the organization’s needs can lead to changes in the target state and thus changes in the IT security policy.

As a management group, the governance committee can help drive organizational and cultural change. The upside is gains in efficiency, coordination, transparency, and agility. It can be hard to standardize business processes across a company. But if you do, you can drive efficiency and predictability companywide. This can simplify your environment and make responding to attacks much easier.

For policies to prevent security breaches, everyone must follow them. This requires that everyone in the organization be accountable for implementing security policies. This requires executive commitment. It will be a cultural change for any organization that views security policies as an abstract concept or an additional layer of complexity. Security policies that hold everyone in the organization accountable help promote this cultural change. For this to happen, the goal should be to make security policies:

• A routine part of daily interaction
• The recipient of support from organizational committees
• A matter of instinctive reaction

These goals are measurable indicators of a shift in organizational thinking and risk culture. Security policies cannot outline every potential situation. You cannot expect people to memorize volumes of material. Information overload is a real concern when implementing security policies. When information security policies are large, complex documents, they become hard to understand. They are also hard to teach, so security policies must include core concepts that can be applied to a wide range of situations. In this way, the policies’ tenets can be easily recalled.

The advantage of core values that management understands well is that they can be applied to unexpected situations. You can measure (and thus, monitor) routine daily interaction to see if policies are being followed. For example, you can review business deployment plans. Usually it becomes obvious if security policies were clearly considered in these plans’ formulation. When security is considered as a bolt-on, or afterthought, cultural change has not occurred. You can also gauge the level of interaction based on the number of requests from the business side to interpret security policies. When information security is at the forefront of everyone’s mind, the business side often asks for clarification on policy details when implementing new processes. The natural source for this interpretation is the IT security team. If the volume of requests for interpretation is low, it’s a good indicator that active conversations on security risks are not occurring. When you have a large number of initiatives, you should expect lots of questions on policies.

You can measure committee support by the conversations that occur between members. A quick indicator is to look at the minutes of committee meetings, such as the operational risk committee or the audit committee. Such committees should all be dedicating time to discussing information security and policies. These committees should also be discussing enforcement. They will want to know how to manage overall risk to the organization. If these committees spend little or no time on these topics, it’s a good indicator they have delegated the conversation to lower ranks. A risk-aware culture has senior management equally engaged in these discussions. The chief information security officer (CISO) can help overcome organizational apathy toward security policies by attending key committee meetings. The CISO can promote candid discussions on policies and risks.

A culture shift occurs when users instinctively react to situations consistent with the core values of the security policies. This personal accountability can help promote security thinking across a broad range of situations. It could be as simple as asking a stranger in the office for his or her identification. It could be questioning the need for access, even though a procedure allows it. This can be measured in several ways. For example, an organization with a high number of security policy exceptions might not appreciate the importance of security.