IT Security: a question of governance above all

In the previous article, we listed the basic practical measures to implement to achieve a minimum level of security. However, it is crucial to understand that your company’s security doesn’t begin with technology, but with governance. Installing antivirus software or enabling two-factor authentication will have only a limited impact if you haven’t first clearly defined who makes decisions, according to what rules, and based on what risks.

The three pillars of cybersecurity

• Governance:
  • Who is responsible for security?
  • How are decisions made?
  • Is there a clear chain of accountability?
    Its importance is underscored by the fact that ISO 27001 devotes its entire Chapter 5 (Leadership) to it, and that NIST represents it as the central element of its framework.
    
• Security policies:
  • What behaviors are acceptable?
  • What are the rules for using information systems?
  • How are access, backups, and incidents managed?
• Business risk assessment:
  • Each company has its own vulnerabilities. Knowing critical assets (customer data, intellectual property, etc.) and the most likely threats allows for prioritizing actions.

Only once these foundations are in place does it become relevant to implement technical measures based on proven principles: least privilege, segmentation, regular backups, monitoring, etc.

This is why the next articles will alternate between governance and technical advice and tools.

Conclusion

In summary: technology comes last. Security starts with a governance decision, fueled by a good understanding of your own risks.