Government and Management aren't the same
This week I have begun a new course about CISM which is done by ISACA, and although I have written several times about Security Governance, I am receiving new concepts and standpoints in this course that I didn't have and I would like to write down here to try to consolidate my knowledge.
First of all, government isn't the same than management. Governance is an abstract noun that most of the IT engineers don't have in their head because nobody has told them that they have to learn business language to understand the requirements of the business. I mean that most technicians don't understand why the company invest more money or more resources in “things” or projects and that in the first time it could seem an error. However, this is the beginning of a strategic and risk analysis.
From the point of view of governance we have to speak with the board of directors, shareholders and stakeholders in business terms to understand the business needs to make a security strategic to improve the business. This is the main reason we have to learn the business language because, once the strategic and the vision of the business are written, we have to write the policies and standards which should be approved by the board of directors.
If we want to learn more about governance we can use the framework COBIT which is a guide of best practices to align the Information Technologies with the Business.
On the other hand, management is a field where we make the security program which should use the Deming Cycle PDCA (Plan-Do-Check-Act). Although the Plan phase should be in the governance, the rest of the phases have to be done inside the security program. In the management field we speak in technical language with technicians and security administrators and we will also write the procedures that it will be steps by steps to know how to do tasks like anti-virus installation, hardening services, etc.
Most companies worried about security have implemented security standards like ISO 27001 which is a certification with 114 controls in 14 groups. However, this standard belongs to the management field and not to the government field and therefore we can find companies with this security standard that it is not align with the business needs or even we can find companies without a strategy.
Therefore, as CISO we should understand the differences between government and management because we have to translate the business language into the technical language and back and forth. I mean, we are in the middle of both worlds and as much knowledge about technologies we have, better controls we define, and as much knowledge about business we have, better alignment we will get.
Best regards my friend and remember, governance and management aren't the same.