logo

Governance

Strong, broadly integrated and top management anchored Cyber Risk Governance is the most important element of Risk Management regarding your cloud adoption, your Third Party and Supply Chain Cyber Risk Management, your Resilience Management, your Business Continuity Management, your AI Adoption, and many more aspects.

Considerations

Core Elements of a Cyber Risk Management Framework are:
Governance, Controls, Audits, Remediation, Contracts, Continuous Monitoring

A few questions which may reveal potential breaking points:Does your Board and C-Suite understand the risks to their data and their business?
Does your Board and C-Suite understand that security does not come for free?
Does your Board and C-Suite understand that a breach can bring down the entire company within very short time?
Are your Board and C-Suite integrated in the overall risk governance and do they actively endorse and support it?
Do you apply the same Governance, the same Controls, the same Scrutiny to Third Parties and their entire Supply Chain?
How effectively do you enforce controls, including strict auditing and remediation on your Third Parties and their entire Supply Chain, in particular when Business is demanding fast adoption of a service?
Are you equipped to continuously monitor all services processing your sensitive data and to immediately trigger sanctions in case of services failing to ensure compliance in operation?

Cyber Risk Governance: Core Aspects:
Integrated governance: Business, Risk, CIO, CTO, DPO, 2nd Line of Defence, Audit, SOC, Cloud Operations
Defined Cloud Strategy
Centrally driven 3rd / nth Party Risk & Compliance Governance
Link to Regulatory Compliance
Enforce Regulatory Requirements across supply chain, including Right to Audit, 24h notification
Educate! What can happen if…
Architecture and technical standards compliance
Risk and controls compliance
Operational suitability and operating standards compliance
Operational KPC(i)s and Risk Management Monitoring and Sanctioning
SOC and Cloud Operations monitor all Third Parties and their entire Supply Chain
Centrally managed concentration risk, including Third Parties and all of their Supply Chain

Controls required to ensure Governance can be effective:
CISO / DISO / DPO / 2nd LoD agreed Cloud Requirements
Leveraging a standard Cloud Controls Framework e.g. CSA CCM
Augmented for Controls required for CID, PII All regulatory requirements translated into controls
Shared Accountabilities defined
Right to Audit enforced
Pen testing enforced
24h notification from when breach occurred to customer no matter where in the Supply Chain
Threat & Vulnerability Mgmt. plus Incident Response Capability at each level in Supply Chain
SOC, Incident Management capabilities and log monitoring fully integrated across all Third Parties and their entire Supply Chain up to the customer. Your SOC must be able to real time access and monitor the logs and incident details of your entire Supply Chain.
Joint BRM / BCR testing all Third Parties and their entire Supply Chain for all critical services.
Joint incident / response exercises
The 12 Golden Controls:
Temporary Privileged Access Management
Multi-Factor Authentication
HSM backed key vault with Customer Specific Keys
Unstructured data classification and encryption and DLP
Log immutability
Records immutability
Jurisdiction specific storage and processing
Data segregation by customer

Audits to evaluate controls compliance:
Assessment of Third Party Services and all of their sub-service providers’ services via controls not questions
Evidence must be submitted, reviewed and challenged. No evidence = finding
Control failures or gaps result in findings
Operational effectiveness failures result in findings:
Pen test failures / results
Joint BCM / BCR exercise failuresJoint incident / response exercise findings / failures
SOC interoperability failures during continuous monitoring
Enforce & exercise the Right to Audit across the entire Supply Chain, incl. all sub-providers
Third Party service providers must evidence effective control of every sub-service provider for control adherence
If the Third Party service provider cannot ensure their Supply Chain compliance, you must ensure control adherence across the Third Parties’ Supply Chain
ISO 27001 / 17 is configurable, not transparent as you do not get the detailed report, no remediation enforced.
SOC2 Type 2 is transparently audited and fully reported but it is configurable. You MUST get and yourself audit the report.

Ensure control failures by Third Party Service Providers and their Supply Chain are flagged and remediated:
Findings must be remediated
Remediation requires design proposals which are reviewed, challenged for effectively addressing the finding
Closure of finding requires evidence of effective remediation and positive re-assessment of control
No remediation = no deal / exit from contract
Inappropriate remediation = back to square one / contract breach

Contracts that protect you, not your Third Parties:
Tight standard clauses for information security and data protection
Applied to Third Party service providers and mandated to be enforced by the Third Party Service Providers across the entire Supply Chain of sub-providers
Right to Audit across entire supply chain. Attention: Several jurisdictions restrict enforceability of the the Right to Audit, ensure your contracts are concluded under a legislation permitting to execute your Right to Audit!
24h breach notification overall: The 24h breach notification is interpreted by several regulators to apply from the breach occurring, no matter how deep the Supply Chain is.
Contract conditions of nth level sub-contractor with their Supply Chain impact threat and incident management capabilities of your Third Party service provider and yourself.
Every finding results in remediation clauses
Exit clause triggered by inappropriate remediation or breach
Contract performance is conditional on information security controls being met continuously and across entire Supply Chain

Continuous Monitoring:
YOU must have the capabilities to continuously monitor your Third Party service providers' threat & vulnerability management and their incident response process effectiveness, including their Supply Chain of sub-service providers.
Requires permanent, open and real time access to your Third Party service providers' logs, including their Supply Chain sub-service providers’ logs..
Requires link between your and the Third Party service providers’ SOCs., and their sub-service providers’ SOCs.
Your Third Party service providers and entire Supply Chain must have own threat, vulnerability & incident management capabilities.
Requires chain of KPC(i)s linked and rolling up across the entire Supply Chain, to the Third Party service providers and yourself
NO reliance on Cloud Service Provider threat & vulnerability management / incident management alone.

Blog
Publications
Video Resources

Blog

How to enforce effective controls and compliance therewith:

How to enforce effective controls and compliance therewith:

Read More

What to do to establish and enforce strong and effective Cyber Risk Governance:

What to do to establish and enforce strong and effective Cyber Risk Governance:

Read More

Publications

ISACA Round Table 2025 Oct 07 Cyber Threat Psychology

Request Download

Cyber Threat Psychology Research Group

Request Download

CSA Cyber Threat Psychology WG Session 20250310

Request Download

CSA Cyber Threat Psychology WG Session 20250224

Request Download

CSA Cyber Threat Psychology WG Session 20250210

Request Download

CSA Cyber Threat Psychology WG Abstract

Request Download

CISA: The Journey to Zero Trust

Microsegmentation in Zero Trust Part One: Introduction and Planning
Request Download

Zero Trust Guidance for Small and Medium Size Businesses (SMBs)

This publication provides guidance for small and medium-sized businesses (SMBs) transitioning to a Zero Trust architecture
Request Download

DoD Zero Trust Strategy

This Zero Trust strategy, the first of its kind for the Department, provides the necessary guidance for advancing Zero Trust concept development; gap analysis, requirements development, implementation, execution decision-making, and ultimately procurement and deployment of required ZT capabilities and activities which will have meaningful and measurable cybersecurity impacts upon adversaries. Importantly, this document serves only as a strategy, not a solution architecture. Zero Trust Solution Architectures can and should be designed and guided by the details found within this document.
Request Download

Department of Defense (DoD) Zero Trust Reference Architecture

The DoD Cybersecurity Reference Architecture (CS RA) documents the Department’s approach to cybersecurity and is being updated to become data centric and infuse ZT principles. ZT supports the 2018 DoD Cyber Strategy, the 2019 DoD Digital Modernization Strategy, the 2021 Executive Order on Improving the Nation’s Cybersecurity, and the DoD Chief Information Officer’s (CIO) vision for creating “a more secure, coordinated, seamless, transparent, and costeffective architecture that transforms data into actionable information and ensures dependable mission execution in the face of a persistent cyber threat.” 2 ZT should be used to re-prioritize and integrate existing DoD capabilities and resources, while maintaining availability and minimizing temporal delays in authentication mechanisms, to address the DoD CIO’s vision
Request Download

NSTAC Report

In May 2021, in the aftermath of a series of significant cybersecurity incidents, the White House tasked the President’s National Security Telecommunications Advisory Committee (NSTAC) with conducting a multi-phase study on “Enhancing Internet Resilience in 2021 and Beyond.” The tasking directed NSTAC to focus on three key
Request Download

Zero Trust Architecture

This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130.
Request Download

Zero Trust Maturity Model

Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. The goal is to prevent unauthorized access to data and services and make access control enforcement as granular as possible. Zero trust presents a shift from a location-centric model to a more data-centric approach for fine-grained security controls between users, systems, data and assets that change over time; for these reasons. This provides the visibility needed to support the development, implementation, enforcement, and evolution of security policies. More fundamentally, zero trust may require a change in an organization’s philosophy and culture around cybersecurity.
Request Download

NSA: Embracing a Zero Trust Security Model

As cybersecurity professionals defend increasingly dispersed and complex enterprise networks from sophisticated cyber threats, embracing a Zero Trust security model and the mindset necessary to deploy and operate a system engineered according to Zero Trust principles can better position them to secure sensitive data, systems, and services.
Request Download

Video Resources

Fortifying your Cloud Risk Governance Series: Defining Cloud Strategy

Published on
October 31, 2025

Fortifying your Cloud Risk Governance Series: Establishing Rock Solid Governance

Published on
August 17, 2024

Cyber Risk Management across the entire Supply Chain

Published on
August 17, 2024