“COBIT is not about security!”

I have heard this statement being said a couple of times about COBIT and for a bunch of different certificates and certifications throughout my career. There is of course truth in this statement as COBIT is not explicitly about security. However, the principles that you can learn from COBIT will absolutely improve your skills as a security leader. This is true for many certificates, certifications, and knowledge out there that are not explicitly about security, and it is especially true if you want to improve your skills as a security leader.

I personally think that a security leader needs to have a broad set of skills and tools. A security leader has a wide perspective related to security and is very comfortable in a broad span of domains. To become this form of a security leader, if this is what you are striving for, there are some things found in COBIT that will help you out. I think that the stuff that you can learn from COBIT can potentially make you a more well-rounded security leader. It will provide you with, but not limited to, a foundational understanding of governance and management.

TERMS & DEFINITIONS

Below are terms and definitions that will be used several times in this article:

• COBIT – Control Objectives for Business and Information Technology. This certificate is targeted toward those who want to demonstrate their knowledge of the standard, i.e. COBIT. For example CIO, IT Directors, IT Managers, IT Auditors, Security leaders (CISO, Directors, Managers), and decision-makers in both IT and security.

• ISACA – Information Systems Audit and Control Association
  (ISACA) is the organization that provides the certification mentioned above.

INFORMATION

This article is not a “how-to pass the COBIT certificate”. This article does not provide a detailed review of the content within COBIT.

This article will give you as a reader my perspectives and reflections on the knowledge that can be gained from COBIT and its application to security leaders.

This article will explain what you as a security leader can learn from the knowledge provided by COBIT. I will also give you some practical scenarios for where you as a security leader can use the stuff that is found within COBIT.

If you think this sounds interesting, continue reading.

REALITY

“Many of the concepts and no methods provided are theoretical and do not directly apply to reality!”

I have heard people say this about the knowledge and things in ISACA and other frameworks, standards, practices etcetera. And I also think this I true to some extent. But, I think that security leadership is not about copy-pasting concepts, frameworks, and methods from a textbook directly into reality. To become a well-rounded security leader I think that he/she must have an understanding of how to transfer and adapt those theories into reality and practice. Theories and reality will not always align. This is the truth and the sooner you make yourself friends with this, the smoother your security leadership journey will become. Trust me. Don’t try to force theories into reality. This is also highly true for COBIT. It will not fit into each and every organization just because it says so in the material, i.e. that it can be applied to any form of organization. This is not something that is a unique statement for COBIT, it is something that is true and found in many frameworks, standards, practices, and theories.

And keep this in mind, how certain aspects and concepts related to security governance and management will not look the same in each and every organization. The actual implementation will differ —> “It depends.”. Many theoretical principles and concepts are still valid and can be used as a baseline or starting point but if they fit into reality are not something absolute. Some of the things that I have learned through my career that will play an incredibly important role in how security governance and management will manifest itself in an organization are:

• culture
• maturity
• economics

You as a security leader can, to some extent but not on your own, impact all these things. But that will not happen over a lunch break. And somewhere along the road, you might need to settle with the truth that:

Changing the culture may be impossible and also nothing that you should change. If the culture in the organization you are supporting has led to success, why go in there and try to change it? Would be kind of a suboptimal thing in my world. Security is in most organizations, not a core business function, it is a supporting function that has a purpose to make the organization successful. The way forward here is to adapt to reality. Security does not serve a self-existence or operate in a vacuum. Don’t make it into an ego game.

The maturity related to security in an organization takes time to improve. Some things will be quick wins but these are limited. Maturity kind of goes a bit hand in hand with culture but with a slight difference. How organizations view security will differ. This can be a part of the culture or dependent on the industry where the organization is operating. An organization operating in a highly regulated industry with high compliance requirements will most often have a higher maturity and understanding of the importance of security. This should at least be the case, but this is not always the truth. Some organizations pursue the “Compliance diploma” and think it is equivalent to security. In my world, compliance should be the result of making things secure. There are some ifs and buts here but I will leave it here for now.

Economics might be the thing that in almost every organization will dictate what and “how much” can be realized when it comes to security. There are very few organizations that have infinite amounts of dollz, resources, and manpower. Many times it comes down to a prioritization of initiatives and this is also how reality looks like. To ensure a long-term value realization from security investments I think that every organization that takes security seriously should have a security strategy. Security is not something that lives for a quarter at a time or shall be treated as a feature development in a software project. It is not something that can only be approached from a purely operational viewpoint. Doing it this way is kind of like frakenstiening potential value realization from security investments. Yes, I have seen this happening in reality. I mean, doing security on a quarterly basis and planning for 3 months at a time or just focusing on operational things is better compared to just going out swinging blindly.

But there are better ways to do it. If you want to know more, about how to do it in a better way, check these articles out:

• SECURITY STRATEGY – WHAT IS THAT?
• SECURITY STRATEGY – LONG TERM PLAN
• SECURITY STRATEGY – DIRECTION
• SECURITY STRATEGY – CREATING VALUE
• SECURITY STRATEGY – REALITY VS THEORY

WHAT TO LEARN FROM COBIT?

COBIT provides a framework for the governance and management of IT. What COBIT does well is to explain “How” IT governance and management can be applied to increase the value realization of IT within an organization. This is mainly done through:

• Benefit realization
• Resource optimization
• Risk optimization

These three things –> Benefit realization, resource, and risk optimization <– can all be applied in the context of security. They are not exclusive to IT. This is what you can learn from COBIT as a security leader. How to increase value realization through security in an organization.

A foundational part of COBIT is to understand the differences between governance and management. These things are not the same but many actually think so. And I get it. The words are thrown around here and there, they are also made and applied in scenarios and situations where they don’t make any sense. This is most true for “Governance”. Many speak about governance and management interchangeably.

COBIT provides a very clear explanation of the distinction.

Governance is mainly about evaluating, directing, and monitoring strategic objectives. Governance is conducted by the board which is accountable for the strategic decisions related to an organization. The board = Shareholders/Owners of an organization. The operationalization, I.e. responsibility to conduct the actual work, of the decisions are delegated to the C-level. The C-level executives are responsible for the management and making sure the strategic objectives are executed in the organization.

In reality, things might be a bit different but this is the main distinction between governance and management. These principles, related to governance and management, can be applied inside an organization and not only on the board and executive level. A security leadership team could act as the governing body with key stakeholders from the organization (I.e. finance, research & development, sales & marketing, security, IT, HR) who together are setting the strategic direction, evaluating and monitoring the progress. The execution on the other hand is conducted by teams, dedicated or cross-functional, where subject matter expertise is located.

Many still confuse governance and management. And here and there people also sometimes confuse governance with maintenance. Governance sets the direction and paves the way forward. In reality, this may have different characteristics but almost every organization has some sort of governance established whether they call it governance or not. There is usually some form of “system” in place where people make these forms of decisions to set the strategic direction. And when a direction is set it does not stop there. A strategy needs, or according to my belief, to be developed, communicated, and launched to realize the potential values in the set direction. Benefit realization is impossible if those great strategic ideas, that the governing entity came up with, aren’t operationalized. This is also where management comes into play, i.e. the delegation of the responsibility to conduct the actual tasks needed to achieve the wanted outcome.

Executive Summary

Governance
Has the ultimate accountability for the success and failure. Sets the strategic direction. Less about the details. More about the holistic and bigger picture.

Management
Is responsible to actualize the tasks related to the strategic direction. More about the details and about doing the actual work. Reports performance to the governing entity.

FRAMEWORK & TOOLS

Simple as that, this is what you will learn from COBIT. You will learn a new framework and a couple of new tools that you as a security leader can leverage to better:

• Develop a security governance framework
• Develop a governance system
• Develop security goals from both a management and governance perspective
• Optimize value realization of security investment
• Resource optimization and utilization
• Risk optimization and planning
• Overall strategic and tactical planning

Yes, this list sounds like a bunch of random fluff that has been written in many other articles around the internetz. The truth though is, that this is what you CAN learn if you understand how to use the knowledge gained from COBIT in reality. The thing here is that the COBIT foundation might not be enough for most people to be able to do all those things I listed. The COBIT foundation certificate doesn’t really go into the design and implementation (that is covered in the design and implementation certificate).

You will not get a how-to manual from the COBIT foundation material that explains how you shall or can do the things I listed. It will provide you with very good principles and methods. But the rest, how these will be carried out in reality in your organization is for you to figure out. And personally, this is a good thing. You as a security leader shall be the person who understands what you and your organization need, which should not come from a theory, standard, or framework. Don’t get me wrong here. The stuff you learn from a theory, standard, or framework is good stuff. It goes directly into your broadened perspective as a security leader but it does not mean that you know what your organization needs. The needs in your organization related to governance and management, in terms of system/framework/methods/<insert>, will highly be dependent on what I wrote in the ingress of this article –> Culture, Maturity, & Economics.

But, here comes another good thing. If you get an understanding of the concepts, methods, and principles, and if you and your organization already have a governance framework and system established, you will most likely find some gems in COBIT that can be applied to improve your current implementation. The stuff you will find in COBIT is not something revolutionary. It is though a solid and well-tested framework that has been around the block for a while. And if something manages the test of time that is usually a good indicator that there is some solidity in the stuff. If you find something interesting in COBIT or another standard/framework for that reason, be curious, and 1.) Contemplate the findings and application to your organization and 2.) Don’t be scared to test things out. Testing things out can be done on a small scale. Do it as a part of a project or a scoped initiative. Or do a dry run of it together with a couple of colleagues. Discuss the learnings and try together to figure out if it would make any sense to implement in your organization.

Personally, I think that many security people often make the mistake that when a new theory, method, or concept for example is to be tested the scope is made way too large. The scope limits the people from testing the thing out. It becomes too large in a phase when the knowledge and skills related to that new theory, method, or concept also is limited. Why not shrink the scope? Test the things out and see if it makes sense. Expand the scope based on the findings and lessons learned. Test things out again and learn from there. Doing it this way also provides something very important to those doing the work with the new theory, method, or concept. Confidence. They gain confidence in how things work in reality and how things work in your organization. Just because something is written on a piece of paper or on the internet doesn’t mean it will work in reality.

MY LEARNING PATH

This section may come out as a bunch of brags, but I’m willing to stick my nose out as I want to be transparent with my journey up to taking the COBIT 2019 foundation certificate. Many of the concepts and principles in COBIT were not new to me. I have had the opportunity to work in organizations that have been applying and taking inspiration from COBIT. Of course, the real world often looks a bit different compared to the textbook but according to my belief, there is no substitute for real-life experience.

In the COBIT foundation material, the Balance Score Card (BSC) is one of the concepts you will learn about. I have worked with this concept for almost two decades and used it in many different ways and really like it. The thing here is though, the first time this article was written and when I took the COBIT 2019 foundation certificate, no visual diagrams or figures illustrating what a BSC is in the learning material. Yes, this can easily be looked up on the internet but personally, I think it would make perfect sense to show the student “What” and “How” a BSC may be used in a governance framework and system. The same thing is relevant for other parts of the learning material, this is not something that is a showstopper for the student to prepare for the exam. But this will limit the holistic understanding especially if the person is new to the concepts. One may pass the exam and know what to answer on a certain question but still be scratching the head afterward and not really understanding what a BSC is or what a governance system looks like in reality. Or how these things will be used in reality.

My preparation for the COBIT exam consisted of reading through the standard twice alongside my daily work. I did so when I was in a spot where I needed to integrate a strategy framework with a governance framework. These two forms of frameworks kind of should go hand in hand in my world, they don’t need to but I think that the closer these two frameworks (strategy and governance) are to each other, the more value will be generated.

During this work, I decided to revisit COBIT and wanted to mainly take a look at the governance and management objectives. But as it was a couple of years ago I spent time on the framework I decided to go through the foundations from top to bottom. And when doing so I kind of found a couple of more gems in COBIT that I took with me into the framework integration task I was into in my day-to-day work. Along the road of my work and refreshing my knowledge I decided to go for the Pokémon, i.e. COBIT 2019 foundation certificate. I felt like I got the perfect opportunity to take a shot at the exam, where I got to apply the knowledge into reality in combination with studying for the exam.

The Cobit 20109 foundation Pokemon, i.e. digital badge.

I know people have different study approaches and learning methods. For me, applying theoretical things in reality is superior. To test shit out. To share those theoretical models, concepts, learnings, and ideas with others. Theory does not always fit into reality and here is where the true magic happens as I see it. Doing the theoretical stuff in such a way that works in reality. It is much easier to change a theory to fit into reality compared to doing it the other way around. Try to change the operational environment, company culture, or threat landscape for example. Like trying to punch that green little ball into a red square. As I wrote in the previous chapter, there are very effective ways how you can test theories, concepts, and frameworks out in reality to gain better hands-on experience and learning.

INFORMATION & REFLECTION

Before I sat for the COBIT foundation certificate, approximately one year earlier, I took the CGEIT from ISACA. There are some similarities but when reflecting on CGEIT and COBIT I think it would make perfect sense to start with COBIT before going for the CGEIT. Some foundational principles will be learned from COBIT that will be useful to understand when going for CGEIT. This is though not something that is a must. I did it the other way around, CGEIT first and then COBIT. Keep in mind though that CGEIT is an agnostic certification compared to COBIT which is a specific test on the COBIT framework.

IS COBIT FOR SECURITY LEADERS?

Yes, this certificate makes perfect sense for security leaders. It will not smash your skill levels up to the stratosphere. Still, I think the knowledge covered in the foundational material is good for both upcoming, new, and seasoned security leaders. You who are new or striving for a security leadership role will be learning foundational concepts, related to IT Governance and Management, that have a high carry-over to the security field. As I said before, Governance and Management are not exclusive to IT. The principles are universal but may take a different form of role in reality.

But all in all, I think that many security leaders who are familiar with security governance will have an edge on the knowledge covered in COBIT. You will learn a thing or two but don’t expect to come out on the other end as Batman with a high set of new cool tools and things.

And if you stand there and start to compare if you should take ITIL or COBIT, there is a thing that needs to be said here. These certificates are not the same or cover the same body of knowledge. ITIL is about IT Service Management. COBIT is about the Governance and Management of IT. Yes, both of them make sense as I see it for a security leader. Are they absolutely needed? No. A certain amount of or a specific combo of teddy bears (= certifications, diplomas, degrees, certificates etc.) does not guarantee one is the ultimate security end boss leader.

LEARNING MATERIAL

To pass the COBIT foundation certificate, all that is needed is out there for free from ISACA and covered in COBIT 2019 Introduction and Methodology. Reading through and understanding the concepts in the material covers all that you need to know to pass the exam. But as I said before, some of the concepts might be a bit abstract if one lacks experience and exposure to reality.

The COBIT 2019 Introduction and Methodology material is around 60 pages long. That doesn’t sound much but I think that it is easy to underestimate the knowledge covered in the material.

When preparing for the exam I also think it makes sense to go through parts of the COBIT 2019 Governance and Management Objectives material. This gives a good overview of how some of the things explained in COBIT 2019 Introduction and Methodology fit together. Now you can get a better overview of for example:

• Components
• Practices
• Management objectives
• Governance objectives
• Enterprise goals
• Alignment goals

As I said, you do not need to read through the COBIT 2019 Governance and Management Objectives material to pass the exam. But I think there is value in spending at least 1-2 hours on it just to get a deeper understanding of the framework.

FYI
It was the COBIT 2019 Governance and Management Objectives material that I was after initially when I did that work-related thing ( = integration of the strategy and governance framework). So I started to look at this paper, then went through the COBIT 2019 Introduction and Methodology, and then did some IRL work. Did some more IRL work. Somewhere here I thought it made perfect sense to go for the Pokemon, i.e. COBIT 2019 foundation certificate.

EPILOGUE

Is COBIT worth it? Should you as a security leader go for it? Will you benefit from it? I have said it before in several other articles, if you find the learning journey interesting and value-adding for YOU, go for it.

As COBIT is a certificate and not a certification it does not come with a yearly fee and the requirement of reporting CPEs. The monetary fee for the COBIT exam is, when this article was written, holding a reasonable price tag. The learning material needed to pass the exam is out there for free. And foremost, whether you are going for the COBIT certificate or not should not be the ultimate goal. It should be to learn the stuff in the framework.

Personally, I am one of those who like to learn stuff. I like to accumulate knowledge as this enables me to expand my perspectives. And this is also something that I think is very important for a security leader, to have a broad perspective of things. You don’t need to know it all down to the details about everything. That is not what leadership is about. However, having a good and broad understanding of several different domains and disciplines will add to your overall toolbox as a security practitioner.

Link to original article – Click Here
Follow Henrik Parkkinen on LinkedIn – Click Here
Visit HenrikParkkinen.com