How to increase digital resilience with focus on Digital Security Governance

Suzanne: ‘First introduce yourself. What has your career looked like so far, in a nutshell?’

Stef: ‘It started twelve years ago. As green as grass, fresh out of college, I met an established name from the Dutch IT audit community, professor Ronald Paans. He offered me the chance to do the postgraduate study in IT audit at the VU University of Amsterdam, while also gaining experience in practice. After five instructive years with intensive assignments at different companies, I realised that my passion was not in the third line. At UWV, I was given the opportunity to gain second-line experience as a consultant in a security team positioned close to the UWV Executive Board. I fulfilled that role for more than five years. In my current role, I manage the Security Operations Team of the Cyber Defense Centre (CDC) at UWV. Working in the first line is the most enjoyable thing I have done so far. It is very interesting to experience the “concrete reality” of the processes and operations. That is a totally different world from that of policies and standards frameworks. ‘Experience in all three lines of defence is something I can truly recommend to anyone,’ says Stef.

In the meantime, alongside his work for UWV, Stef worked on the study Digital Security Governance: From the Basement to the Boardroom. For this research, Stef held 75 interviews, mainly with chief information security officers (CISOs) and chief information officers (CIOs), but also with security professionals from several large organisations in the Netherlands. He examined various DSG implementations and looked, among other things, at success factors, but also at elements that organisations encounter when implementing DSG.

Suzanne: ‘Tell more about your research. For example, how did you determine your research question?’

Stef: ‘During my career, I have always found it very interesting to see how directors view information security. Where a security professional sometimes sees the organisation on fire, the same issue for a director is just one of many challenges at the time. I found that field of tension and all kinds of governance issues surrounding it fascinating. From this interest, the basis was laid for the research question of the doctoral study. Both professionals and administrators have an opinion on security governance and design issues. But do they actually understand what they are saying? Can they also substantiate the statements? Why do certain governance structures create more “security” than others, and what are the real effects and outcomes of certain security governance mechanics? In the end, it was Professor Abbas Shahim who gave me the opportunity to start doctoral research at the Amsterdam Business Reserach Institute (ABRI) in 2018. It was the beginning of a very intensive but beautiful journey at the Free University (VU) Amsterdam.’
‘DSG is increasingly approached as a strategic issue’

Suzanne: ‘Can you talk a bit more about why your research focuses specifically on Digital Security Governance?

‘It’s an interesting time,’ Stef replies. ‘Organisations have to adapt continuously, they are becoming more and more digitally driven and with that, the usefulness and necessity of security also changes. If something goes wrong due to a cyber incident, in a highly digitised environment it affects not only IT, but the entire business, with a major impact on business operations as a result. This is a fundamental difference in this digital era versus the more analogue one. Not all executives yet understand this impact of security on their digital processes thoroughly enough. This is still reflected in almost daily news about successful cyber attacks. In short, I believe that the digital context strongly influences how to treat security. That is why digital was the essence of my research.’
Stef then nuances this: ‘Incidentally, this outlined picture has since changed (more than six years after the start of the study). DSG is increasingly approached as a strategic issue. Organisations are increasingly intrinsically motivated to respond to a robustly growing cybersecurity threat picture (which can have disastrous impact on business operations). This is certainly also due to various external factors such as increasing laws and regulations, higher requirements in Business 2 Business relationships, attitudes from clients and citizens towards companies and so on. Still, there is definitely work to be done.

How to organise Digital Security Governance effectively

Stef immediately noticed when first exploring the literature that little has been written about digital security governance and how to organise it. ‘Previous studies were very practical and little empirically based. Therefore, my main commitment was to collect data and further substantiate views around this topic. In the end, I interviewed 75 CISOs and CIOs in my research. Additionally, that data was coded and considered from different theoretical concepts. My research aims to flesh out the concept of DSG with the ultimate goal of increasing grip and control.’

Asked for an example, Stef says: ‘It became clear from the interviews that organisations have not found the golden egg on how to effectively realise security governance either. In the interviews, instead of concrete examples of effective security governance, issues, problems and areas of tension were mainly put forward as explanations of why security governance was not successful. Further interpretation of these problems or a good understanding of why tension fields exist and how to solve them was lacking. An example of a common tension field is security vs innovation. Entrepreneurs have fast go-to-market ambitions, while setting up security takes time. It became clear from the data that organisations handle this tension by making a choice between innovating faster with less security or going to market slower with more security. It is already known from scientific theories, such as so-called paradox theories, that choosing between one or the other is not a sustainable or successful strategy to tackle tensions in a dynamic environment (such as the digital context). In the various research papers, we discuss such concepts and apply them in the context of security.’

How security governance can also create business value

Stef spent a total of six years on the research. ‘There have been several iterations, but ultimately the thesis consists of four different papers that collectively answer two main questions: 1) How do companies organise their DSG? 2) How do you ensure that this governance is effective?’
Suzanne: ‘Can you talk more about this? What were your findings?
Stef: ‘From the literature, effectiveness of security governance is often expressed in relation to information security failure, or the number of incidents. I think this is a one-sided approach, namely strongly focused on control. Governance not only provides control but also creates business value. Many organisations do not yet see the relationship between setting up security governance and creating business value’.

Suzanne: ‘Can you give examples of this?’
‘Those examples certainly exist, but they are not yet very well described both in the literature and in practice. In the research, we saw examples where having internal security demonstrably in order can be a differentiating factor in closing large strategic billion-dollar deals. That security can increase customer confidence, help comply with laws and regulations and contribute to the competitive position. In short, security can be of strategic value to your organisation.

About the study: Digital Security Governance: From the basement to the board room

The study Digital Security Governance: From the basement to the board room consists of four papers.

• The first paper, From basement to boardroom, outlines the entire introduction of DSG. It consists largely of literature review and shows what the trends are. Governance usually starts as an IT-related topic. It often then becomes a business topic of a strategic nature that ultimately has a major impact on the long-term success of organisations. Stef: ‘We started looking at organisations from that perspective. The results were surprising. I expected CISOs to have a more concrete view on the design choices around security governance. Yet you noticed that there is still a lot of ambiguity and frustration about the question.
• Stef: ‘In the second paper, using theories of paradoxes and tensions, we try to explain why organisations fail to establish successful security governance. Examples of such paradoxes are: innovation vs security and institutionalising vs professionalising.
• The third paper addresses the question of ‘how’ organisations can effectively implement security governance approaches in the ever-changing digital world. Stef: ‘We looked specifically at the governance principles of High reliability organisations’. These are organisations that can operate in a ‘high-risk flawless environment’. Think nuclear environments or aircraft carriers. The conclusion is that we can still learn a lot from them.’
• Finally, the fourth and final paper describes a case study that focuses on the fact that the organisational context affects how security should be organised. The conclusion is -in short- that there is no “one size fits all”.

No one-size-fits-all DSG model

Stef’s research consists of four papers (see above). Suzanne: ‘What were the main conclusions?’

Stef: ‘One of the main conclusions of the study is that there is no one-size-fits-all generic DSG model. An effective governance model is highly context-dependent. For example, the choice of a centralised, decentralised, hybrid or an integrated model strongly depends on the stage of the company (start-up or mature organisation) and whether it is a public or private company. We were able to partly explain the advantages and disadvantages, strengths and weaknesses of security governance elements. Based on this, companies can take these context-dependent elements into account when choosing a model, which may be the best fit (looking at the phase their organisation is in). This sounds like an open but organisations do not often consciously make the choice for a specific security governance model, because it is often not clear what that specific model will bring to that specific organisation. The majority of organisations have a (hybrid) governance model that has grown organically. Sometimes it is useful to choose a different model, for instance if you start working agile. You also see more attention to governance after an impactful security incident. Then you suddenly see organisations speed up centralisation to become more secure. The question is how you can then become even more effective and what the role of the CISO is.’

‘IT auditors may critical of choice of DSG model’

Suzanne: ‘What role do you see for IT auditors when it comes to security governance?’

Stef: ‘They can add a lot of value in the form of advising on what is ‘good’ or effective. Usually, auditors are often focused on testing controls in a certain framework or framework. Governance elements are not always woven into controls. And when is something well-established? An example of a control is: roles and responsibilities are clearly assigned. What does a positive finding say about its effectiveness? Are they roles and responsibilities properly invested in content and where does this lead? Auditors often find taking on the advisory role difficult, but at the same time I see it as an important task for the auditor to have these kinds of conversations precisely towards boards. They can, for instance, advise on a different type of governance model at the moment the existing model does not fit an organisation (anymore). In short, auditors can challenge well when which model fits best, depending on an organisation’s contextual factors.’

Which factors determine whether a DSG model is effective?

Suzanne asks if there will be a follow-up to the research.

Stef: ‘Besides my work at UWV, I always keep ambitions in the field of research. The approach of my research has largely been explanatory. In future, I would like to show even more specifically which factors and mechanisms in the various DSG models are directly related to or influence effectiveness. For example, a large quantitative study at universities found that a centralised security governance model leads to fewer security failures. How to extend such studies to the impact of security on business value. Should a startup that values secure by design always contain their innovations with security measures and opt for a heavily centralised model? Or is extensive experimentation with lots of freedom for teams and departments themselves for security (decentralised model) more convenient after all? Answers seem obvious but have not yet been sufficiently researched, if you ask me. How does this law of communicating vessels work? I would like to make that quantitatively measurable. Not just by interviews (which is somewhat subjective anyway ), but especially by creating volume. That would be interesting, for instance a survey of directors and decision-makers (because it is a business issue) and combining that with data from annual reports. Of course, even then you have to be careful with the interpretation, but it would undoubtedly offer interesting new insights.’

Creating reflection tool for choice of DSG model

In addition to research, Stef would also like to make the outcomes practical. ‘For example, in the form of a reflection tool. So you can ask yourself which context-dependent elements in your organisation are important for the choice of model. Now you can also easily do self-assessments for frameworks such as NIST and ISO27000. Besides well-designed controls, DSG can also influence security performance. If you make conscious choices in that, it has a real effect. That has not really been researched before. There are several best practices, but hopefully it will soon become more concrete with more scientific follow-up research. Ultimately, security has to be ingrained in the DNA of the organisation, and that means in the culture. You don’t just do that by making people responsible. Security has to become part of the DNA in all facets. But before this stage is reached, there is still so much to learn.’

Suzanne: ‘And finally, Stef, how do you keep up with yourself? Do you have any specific sources of inspiration?

Stef: ‘How I learn and keep up with myself? Nice question because it touches on the essence of why I once started doing PhD research. I believe very strongly in the power of combining practice and science. Because of the relationships I have built and the passion I have for academia, you always stay connected to universities. For example, I supervise several groups of students with their theses. Students are inventive, cover a wide range of topics and you also have to read the theses really well to give good feedback. But preparing for lectures also means you have to have a really good grasp of the subject matter in order to get it across. In addition, I have my “feet in the mud” at UWV’s Cyber Defence Centre. These dynamics ultimately ensure that you stay sharp, I think.
If you then ask about my sources of inspiration; I really have a lot of them. But what ultimately impresses me most is when very old concepts are still applicable. Thomas Hobbes – Leviathan from 1651 is a great example. I won’t tire the reader further with its contents, but if you like philosophy, this is highly recommended.’
Finally, Stef reflects on the IT auditing profession. ‘I find that the mindset you are given as an IT audit or Risk professional is very valuable. I am referring specifically to the management mindset and the AO/IC doctrine. This mindset shapes you as a professional and comes in handy in many functions. Skilled auditors are encountered in the most unusual roles. In short, to all readers who are auditors, you have chosen a great profession!’