Development of top-down and holistic global information security strategy and governance model

68

Service: Cascading strategy
Area of expertise: Cyber security, Life sciences

THE SITUATION

A global pharmaceutical company wanted to establish a new strategic direction, governance model, and a stronger top-managed approach to information security. Kopenhagen Konsulting was brought in to manage the formulation of a new strategy and governance model, as well as initiate the execution hereof.

The need followed a re-organization of the global IT organization, which introduced an intensified and more business-centric digitalization strategy with emphasis on decentral adoption of digital solutions across the value chain. Consequently, introducing new threats as the business became more digital, had higher dependency on third parties, and digital solutions were moving closer to patients.

To be able to manage the risks, the Chief Information Security Officer (CISO) aimed to intensify the information security focus across the entire organisation, not just within IT, and adapt a more holistic approach for information security.

WHAT WE DID

The efforts were led by Kopenhagen Konsulting with an internal team of senior subject-matter experts within general information security, cyber security, cloud, vendor management, as well as Operations Technology (OT) and manufacturing processes. The team collaborated with a reference group with business representatives and answered directly to the CISO and director of information security management.

The strategy and governance development process were divided into 3 steps: First, a formulation of the purpose and mission for the Global Information Security strategy and function. Second, the current state of information security was analyzed and utilized to define key challenges. Third, the strategic direction was formulated with the introduction of a new supporting governance model as well as a hands-on plan for execution.

Purpose formulation

To ensure a business-centric, risk-based and correctly cascaded strategic direction, the initial focus was to formulate the overarching purpose of information security. This was derived through an in-depth analysis, which included:

  • Structured interviews with 40 key stakeholders including the CEO, CIO, COO and other critical business representatives to gain deeper insights into business priorities, investigate the risk appetite as well as receive feedback on the current state of security
  • Review of central material covering among other Annual Reports, Corporate Strategy and mission, Corporate values, Corporate Risk Management registry, Code of Conducts, Audit Committee Charter, Business Continuity Plans and Business Impact Assessments for critical processes, IT risk management processes
  • Risk comparison of peers including review of peer information security policies

Based on the analysis the overarching goals were formulated and information security’s role in reaching these goals were defined in three mission statements with clearly defined potential impact scenarios if this was not successful.

Current state and key challenges

With the purpose of information security defined, the next step included an analysis of the current state. To assess the current maturity, a triangular analysis was conducted covering 1) external ISF maturity assessment, 2) external input on the threat landscape, best practice and the trends of the information security industry, and 3) self-assessments of the maturity based on ISO27001 and ISO27002. The analysis was matched with several management workshops taking stakeholder interview input into account.

At a general level, it was concluded that the organization had a strong historical focus improving the IT security posture, but fragmented efforts beyond the realm of IT. Thus, rising threats and a changing business environment required a stronger mandate, clear direction, and cross-organizational governance to safeguard the business. Furthermore, the analysis pointed out that several building blocks for a full-fledged information security setup was in place through an existing model for executive oversight, as well as the fact that executive management recognised the importance information security.

However, the analysis deduced three key challenges centred around governance, risk and culture that was identified as obstacles in adhering to the mission statements of information security:

  1. Fragmented information security governance implementation across the organisation, including:
    • The governance of information security was unclear, and the mandates and risk ownership for different stakeholders were undefined.
    • Information security efforts were not aligned to nor driven by the priorities of the business
    • There were specific gaps in maturity in certain key information security areas that needed to be addressed
  2. Insufficient insight into key information security risks, including:
    • The company did not have a common understanding of what the most important information assets
    • The existing approach to identifying risks was silo-based and does not adequately identify the most important risks
    • The information security function lacked insight into whether information security controls or measures were adequately implemented across the company
  3. Information security was not recognized as critical across the organization, including:
    • Information security was largely viewed as an obstacle for the business – a requirement that must be checked off – rather than a partnEmployees across the company did not necessarily have the proper knowledge or competences to protect the information assets they handle in their daily work
    • Risk acceptance was not always aligned across the organisation, leading to local acceptance of risks greater than what is in the interest of company
Strategic direction and governance model

Strategic focus areas
To pursue the mission statements and work towards resolving the identified challenges, the working group defined three strategic focus areas towards 2022 that was directly mapped to each of the identified challenges:

Strategic focus area 1: Efficient management of information security. By 2022, the objective was to have a strong governance setup, strategic direction, and roadmap implemented for gap-mitigation, with clearly defined responsibilities.

Strategic focus area 2: Comprehensive risk mitigation. By getting better insight into key information security risks, the objective was to have a clear risk picture that is utilized to guide decision making by 2022.

Strategic focus area 3: Information security is embedded in the culture. By 2022, the aim was to ensure that information security is understood by all employees and regarded as a business enabler rather than a hindrance to the organization.

To ensure operationalization, each of the strategic focus areas was broken down into clear must-win battles with short-term (<6 month), medium-term (<18 month), and long-term (<2022) actions with measurable deliverables, and hereafter mapped in an execution roadmap with defined roles and responsibilities.

Governance
To ensure efficient execute the strategic focus areas, the strategy was presented together with a revised approach to the overseeing organisational governance structure for information security. This consisted of three elements:

First, a multi-tier, top-down governance model was introduced to ensure effective management of information security across the company. The new governance model was based on a comprehensive analysis of best practice, existing governance bodies and peer-company comparison, where it was decided to anchor the strategic governance committee within an existing and well-established committee for technology management, having the mandate to represent the whole company. The purpose, mandate, responsibilities, risk ownership and yearly tasks was outlined and approved, with clear distinction to the executive oversight entity as well as the operational governance mechanisms.

Second, the scope of the CISO function was renamed and restructured to reflect the new mandate for global information security with an intensified focus on providing subject matter expertise to support the business while retaining a focus on enhancing the cyber security posture within the Security Operations Center (SOC). The new organization also included a dedicated secretary for the new governance committee.

Third, a new Information Security Charter was developed and approved by the new governance committee to outline the overarching responsibilities of different information security stakeholders, including Executive Management, the CISO, the cross-organisational governance committee and every individual employee in the company.

THE OUTCOME

The new strategic direction was presented to and approved by executive management, and well-received by all stakeholder groups. Furthermore, the revised governance model was swiftly operationalized according to plan, with tracking and oversight for the implementation roadmap of the strategic activities.