COBIT 5 for Security: What You Need to KnowISACA's Robert Stroud on New Approach to Governance, Management
The release of COBIT 5 for Information Security from ISACA comes at a time when the IT threat landscape is changing drastically. How can organizations use the updated framework to mitigate the risks? ISACA's Robert Stroud explains.
Start with the recently-released COBIT 5 framework, which builds upon several old models, including COBIT 4.1, and allows organizations to understand holistically the risks they're facing enterprise-wide, says Stroud, a member of ISACA's Strategic Advisory Council.
"As we come to COBIT 5, we're facing so many changing perimeters in the world," he says in an interview with Information Security Media Group's Tom Field [transcript below]. "Now you've got your consumer-driven IT; you've got the big concept of bring-your-own-device; you've got social media."
On top of that updated standard, COBIT 5 for Information Security offers additional, security-specific guidance designed to help enterprises reduce their risk profile. One of the focuses of the guide is to implement an effective risk posture.
"Cyber attacks, external hacking and disgruntled employees, they're all still out there," Stroud says. "But overall, there are more and more external threats coming in to be able to get inside the environment, and those need to be understood."
The security guidance calls for organizations to have a full understanding of the risks they're facing, and then place effective processes around each one, "to either deal with them or if our posture allows us to accept some of them, how to deal with them after the event," Stroud explains.
"This is all about understanding your risk profile from a business perspective and understanding what the organizational impact is, so that you can make effective decisions in the right areas," he says.
In an interview on the unique elements of COBIT 5 for Information Security, Stroud discusses:
- How the COBIT 5 framework differs from version 4.1;
- Why organizations need to approach governance and management differently today;
- How COBIT 5 for Information Security helps organizations reduce their risk profile.
Stroud, CGEIT, CRISC, is a member of ISACA's Strategic Advisory Council. He is a past international vice president of ISACA, and member of the ISACA Framework Committee. He is also vice president of Strategy and Innovation and service management and governance evangelist at CA Technologies.
Stroud spent more than 15 years in the finance industry, successfully managing multiple initiatives in both the IT and retail banking sectors related to IT service management and process governance.
TOM FIELD: COBIT 5 is out now from ISACA. It's the latest edition of the Information Security Framework. What are the newest additions to the framework, particularly in terms of governance and management?
ROBERT STROUD: [We] just had the launch of COBIT 5 for Information Security, which is a guide to help practitioners correctly understand how to leverage the COBIT 5 framework in an information security role and apply value through the organization's objectives and securing the environment, delivering value to their customers and also driving the information security right down from a business perspective right through into how it's enabled within the IT environment.
Differences from COBIT 4.1
FIELD: I know that ISACA spent a good deal of time talking about COBIT 5. How would you say it differs fundamentally from COBIT 4.1?
STROUD: That's a great question actually, and there are a couple of fundamental differences. The first is that COBIT 5 separates the notion of governance and management. Governance is effectively the role of top management where you evaluate the opportunities, you direct what's to be done and you monitor, and the governance role is typically segregated, although not always, from the actual role of putting those controls or management practices or processes in place that allow you on a day-to-day basis not just to monitor the environment, but also put the work in place so that you can meet those corporate objectives.
COBIT 5 typically separates governance and evaluates direct monitor with management where in that role we set the objectives in place. We enable the capabilities and then we monitor what's happening in them and report back exceptions. That's difference one.
Difference two is that COBIT 5 calls out all the various dimensions and enablers or inputs to a governance regime. I think that includes things like the organization's culture, its ethics, as well as the things you would normally consider, such as people, process and technology, the tools you use, and things like that. So it takes a holistic approach.
The third point is that COBIT 5 incorporates or encapsulates the various frameworks that ISACA has developed over time, including value management of IT, known as Val IT, risk IT or effective risk management, plus COBIT 4.1, and brings them together into one framework that allows people to truly understand how to drive business and organizational value into a series of processes to ensure that value is delivered, and of course at the same time the organizational risk component is truly understood, moderated and mitigated where appropriate but accepted where it's not. I mean there are a large number of other differences, but I like to remember things in three. So I'll stay with three for right now.
Benefits from Framework
FIELD: It occurs to me that we're coming up on the 20th anniversary of COBIT. If we can take a step back for a second and look at the iterations, including the latest, how do you see organizations benefiting the most from this framework and where do you see COBIT as being most effective for organizations?
STROUD: Yes, you're right. We're getting close to the 20th anniversary and COBIT 5, as the number would suggest, is the fifth iteration and COBIT has come a long way from essentially being an audit and control framework in the initial version, where it was essentially used to put an audit framework in place to ensure that organizations were in fact delivering the capabilities and the alliance to these organizational roles and constructs that were put in place. The world has changed since those initial versions and we've had compliance come to the forefront of many of us. Security has become a bigger issue. The business is truly now empowered by technology and as we move on to COBIT 3 and 4 we ended up with a framework that truly helped organizations manage their compliance requirements, their governance requirements, so on and so forth. As we come to COBIT 5, we're facing so many changing perimeters in the world. Now you've got your consumer-driven IT; you've got the big concept of bring-your-own-device; you've got social media; you've got the business delivering capability direct without IT.
COBIT 5's fundamental difference that we're seeing today is that organizations are looking to take a value-based perspective to their governance of enterprise IT or more importantly their IT investments that empower the business. And COBIT 5 clearly supports that posture. It's designed so that you can really truly understand what the organizational construct is, where you're looking to invest and where you're looking to drive organizational value. I think value is the key word in COBIT 5. Where is that value? Then, how are we going to get there?
The old days of IT, with long-running projects, the business value of it in two or three years has gone away. So in measuring that value component, we need to understand where we are in terms of deriving business value so we know when to effectively cut our losses. A term used in industries, I'm sure all the listeners are aware of now, is "file quickly". Well rather than "file quickly," let's "succeed quickly." One of the concepts there in succeeding quickly is know when we need to cut our losses, cut our investments or move or tackle change into a different direction. COBIT 5 provides an overarching structure so that organizations can put that in place and deliver that, and that's one of the areas where value is truly derived and one of the true differences from COBIT 5 to the past.
Now, COBIT 5 reaches back from the business initiative - the business strategy - right through to requirement, so almost true cradle-to-grave support.
IT Threat Landscape
FIELD: As you talked about the evolution of COBIT, it struck me how different the enterprise is now than when it was introduced. For instance, you and I today are both sitting in our homes hundreds of miles apart talking to one another, where when COBIT came out we would have been within an office some place. So much is remote. So much is outside of the organization. Because of this, the IT threat landscape has changed and so my question to you is: what do you see as the top IT threats to the extended enterprise today and where do you see COBIT 5 helping organizations to address those sophisticated and different threats?
STROUD: The threat profile has changed dramatically if we go back to when you and I started in this industry would be surely in the same room and you know it might even be a hallway apart. Threats are different; threats were fundamentally from inside. And don't get me wrong - those internal threats continue. But now we're seeing a lot of changes in terms of the threat landscape and threat profile, and we recently did a release on the threats that we're seeing in the industry, things like data leakage. This is becoming a fundamental business issue for many organizations today. The fact is that data can leak out and you think about that information, and not necessarily personally identifiable information, but organizational information, trade secrets information, clearly we're seeing that as a major issue out there.
Inadvertent employee mistakes are still happening so we're not going to stop them anytime soon, because as you put process in place, we do mitigate that to some extent, but they will still happen. Now we're still seeing a growing threat in our dimension consumer driven IT now because of your bring-your-own-device. If the enterprise construct is not effectively developed to control this access from third-party devices, then you may have the opportunity to have data leakage or using those devices as a way to penetrate inside your organization.
I think we're getting better at that and better at managing that as we move forward. Other things that are very topical like cyber attacks, external hacking and disgruntled employees, they're all still out there. They're single digit kind of threats if you want to put a percentage on them, but overall what's happening is this threat landscape, there are more and more external threats now coming in to be able to get inside the environment of the data center or the IT construct, and these need to be understood and not necessarily always avoided. Sometimes you just want to take a mitigation posture or you might want to take an acceptance posture depending on the business risk, the business climate and the business appetite. One of the things that we reinforce and support in COBIT 5 for Information Security is how to put an effective risk posture in place, and we need to understand that security begins at the business and as a holistic partner. That's one of the key aspects in the changing threat landscape.
We need to be aware of all of these threats, we need to understand them and when you put effective process in place to either deal with them or if our risk posture allows us to accept some of them, how to deal with them after the event. That's going to depend on what industry you are in. If you're in an industry that cannot accept any risk, you're going to have a larger investment in security. There are organizations that maybe can accept some of these. This is all about understanding your risk profile from a business perspective and understanding what the organizational impact is so that you can make effective investment decisions in the right areas. And I think that's a key thing that we're seeing today. IT is moving so quickly. We need to make effective decisions rapidly and realize that we may have to revisit them on quite a regular basis.
Transitioning to COBIT 5
FIELD: For an organization that has already invested in COBIT and certainly is up to speed with 4.1, what does the transition to COBIT 5 involve for them?
STROUD: We've actually produced a publication which is an implementation guide as part of the COBIT 5 series. That implementation guide and the tool kit that comes with it give you good guidance in terms of what you need to do. The first aspect of doing this is to go back and have a quick look at your organizational posture and culture in terms of what does governance enterprise IT mean in your organization. Where are the threats? Where are the risks? Where are the various opportunities? And one of the things that I think people will see is fundamentally most of COBIT 4.1 and your investment in 4.1 is indeed relevant in a 5.0 timeframe, so you can go through and look at those processes, those management guidelines you put in place and those aspects and you can take them forward.
The new piece in COBIT 5 is the governance environment and that's one of the things that I recommend [to] practitioners looking to effectively implement this. You might want to go and look at the implementation guide and actually balance the governance domain versus your current governance process you have in place today. All organizations have some form or structure resemblance of governance and that governance process should map quite well to the guidance that we give in COBIT 5 to effectively implement this governance domain.
Like all frameworks and standards, COBIT 5 is not a panacea. It's not something to take and lift and use exactly as is. You're going to map it or mold it to your organizational requirements, your organizational construct and the various competitive advantages that you have. Those of you already invested in 4.1 - grab the implementation guide and have a look at that. As you download the implementation guide, there are a large number of tools there. I'd do a quick governance reassessment just to see where you are and then after you've got this, you can then go back and look at the delta in terms of implementation. But do take this opportunity to really look at the governance area that you've put in place and make sure that you haven't got too many controls in place. That's always a challenge in these days of nimble organizations and nimble enterprises being agile. You want to have the right number of process controls in place, not too many, because too many is cumbersome and if you become cumbersome that leads to complexity which leads to difficulty in changing and it's the age-old story, the more complex it is the harder it is to change.
FIELD: For organizations and individuals for whom COBIT 5 is new, they're new to COBIT, what advice do you offer them to really help them maximize the standard and to improve their own information security programs and posture?
STROUD: If we think about it, if I boil it down, let's understand that information security starts with the business, it starts as a business risk and IT is the vehicle that executes the business components in place. Security is everyone's role; it's everyone's job in the organization. But in saying that, we don't need to make it cumbersome or complex. What we need to do is put security awareness in place, put the right processes and controls in place, mitigate the organization's correct the identified risks and allow a cultural or environment of growth and expansion where appropriate.
Put in short, the guidance shouldn't be viewed as rules that will constrain the organization. The COBIT 5 guidance is a set of guidelines to help and actually liberate an environment to do their job better so they will put the right focus in the right areas, and that's all our governance is about. Let's identify the outliers and let's identify the exceptions to our business and allow top management to effectively drive the business based on those exceptions. I think once we get that right as IT and the business, once we realize that managing the exceptions rather than the day-to-day business allows us the most agility, room to move and scope, I think we will all become more productive. We'll add more value and we'll all be able to deliver the business the agility that it's so desperately asking for.