For the sake of clarity, I will retain the definition of cybersecurity formulated by the International Telecommunication Union (ITU), namely: “Cybersecurity means all the tools, policies, security concepts, security mechanisms, guidelines, risk management methods, actions, training, best practices, safeguards and technologies that can be used to protect the cyber environment and the assets of organizations and users. The assets of organizations and users include connected computing devices, people, infrastructure, applications, services, telecommunications systems, and all of the information transmitted and/or stored in the cyber environment. Cybersecurity seeks to ensure that the security properties of the assets of organizations and users are ensured and maintained against the risks affecting security in the cyber environment. The general security objectives are availability; integrity, which can include authenticity and non-repudiation; confidentiality”
Cybersecurity governance can thus be understood as the implementation of a set of measures (rules, standards, protocols, procedures, etc.) intended to allow better coordination of the stakeholders of an organization, with a view to ensure the efficiency of decision-making processes regarding cybersecurity issues and to ensure the achievement of the organization’s overall objectives. If we refer to the definition of the term “governance”, namely steering resulting from consultation between the stakeholders, which includes not only the duties of each of the stakeholders, but also their prerogatives and their respective interests, with the ultimate objective of improving the performance of the organization, we can consider that the design and deployment of cybersecurity governance is supposed to be NOT limited to the sole scope and responsibility of the Chief Information Security Officer (CISO). Indeed, governance is based on the necessary coordination of stakeholders in order to achieve common objectives.
However, in reality, regarding this precise aspect, we are only at the beginning of the evolution of the way the question of cybersecurity is tackled within organizations. Cybersecurity has remained confined for too long to a technical and technological approach, strictly limited to the security of information systems (ISS), whereas it also requires, more fundamentally, an organizational and cultural approach, including in particular overall risk management, legal aspects, and the human dimension.
I welcome your thoughts and comments.