Last article, I talked about PPTP. With organization policies formally established, the next is the governance to make it work. Otherwise, policies are just slogan in the air.
The governance must be driven by the governing body (usually the senior management in the organization) that includes but not limited to:
- Mandate cybersecurity directives (policies) for enforceable, repeatable and achievable business process
- Approve risk acceptance for deviation from these established policies
- Stipulate strategic decision to ensure business outcomes align with organization business objectives like digital transformation, Recovery Time Objective (RTO), recovery priority, funding
The hard part is the the governing body needs to determine the right path for the organization rather than distracted by sales pitches or FUD exaggerated by the media.