Protecting information consistently across the enterprise means having the right people at the right level engaged so that the information security program can align with business and technology strategy. Without the participation of the right people, it becomes difficult to maintain the proper information security budget and staffing levels.
In this post, I’ll cover the basic concept of governance, as well as why it’s important, who should be involved and how a governance framework should be executed and maintained.
While information security leaders often make decisions based on their experience, it’s equally important to involve the enterprise in strategic discussions. Many information security leaders find this task daunting.
What does the CEO know about security? How about the general counsel, CFO, head of compliance or board of directors? The short answer is, they probably know little. That’s reasonable, as it falls outside their direct responsibilities. Nonetheless, the executive team and board play pivotal roles as key stakeholders and significantly influence the investment in protecting information.
More importantly, the CEO is responsible for executing the corporation's strategic plan, while the CFO oversees financial plans, the general counsel provides guidance on legal risks, the head of compliance ensures regulatory compliance and the board of directors oversees the organization's operations.
To benefit from their positions and perspectives, the CISO needs to engage the executive team and board. By providing oversight and guidance for the information security program, they can effectively protect the enterprise at the right level.
Although it may seem like a basic concept, most businesses depend on their technology infrastructure to run their business. Without this infrastructure, businesses would come to a halt. At the same time, the technology infrastructure in most companies has systemic security issues that go unaddressed. These security issues create risks that make it easy to disrupt services or facilitate intellectual property theft.
Robust information security governance offers enterprises significant advantages. These include:
Information security leaders need to engage boards of directors and executive teams so these stakeholders can understand the issues and provide guidance and support for the information security program.
An effective approach to establishing a governance program involves building and maintaining relationships with the executive team through one-on-one conversations. This aspect is often overlooked by information security leaders.
Ongoing dialogues with the executive team members serve as the foundation for long-term success and optimal alignment with business and technology strategies. In many organizations, security lacks visibility with the executive team and board — but having direct and recurring conversations with these individuals bridges the gap.
Communicating Security's Impact to Stakeholders
Many people think that the executive team needs to learn information security’s vocabulary, when the reverse is true. To secure the necessary support, the executive team and board of directors must understand how an investment in security aligns with their areas of responsibility.
When speaking to a CEO, for example, you need to communicate how security impacts the way they run their business and how it can create strategic advantages. Executed properly, security becomes one ingredient that contributes to creating a resilient technology infrastructure. If the technology infrastructure is resilient, the business can rely on it to support its basic business functions.
The CFO needs to understand how security impacts the top and bottom-line. When customers perceive an organization as trustworthy, they have the confidence to do business with them. This is particularly important for companies that depend on digital assets for a large percentage of their revenues. A strategic, predictable investment with the proper underlying processes helps to reduce bottom-line costs.
Integrating Security into Business Processes
To emphasize the importance of integrating security into basic business processes, consider the following analogy: When an automobile rolls off the assembly line, the manufacturing process doesn't include a separate step for adding quality. Instead, if quality is taken seriously, it becomes an integrated aspect of the manufacturing.
Failure to achieve the desired level of quality leads to product defects. While recalls can be expensive, the cost of damaging a company's reputation and image is greater. Similarly, security must be integrated into fundamental business processes to ensure proper protection.
In application development, it’s nearly impossible to use proper hygiene to achieve the same outcome as if security had been applied throughout the process. Security must be integrated into the application development lifecycle and into infrastructure management. This is true for other technology areas and for basic business functions. People need to understand how they need to protect information as part of their daily routines.
Not all security breaches can be prevented.2 The executive team and board need to hear this message. Companies and governments are compromised regularly around the globe. It happens.
Think of the general counsel’s role as a model for information security leadership. The general counsel can’t prevent lawsuits. To say otherwise would be foolish. The general counsel’s first order of business is to create a robust legal framework that minimizes legal risk, settlements, and related costs.
The general counsel doesn’t accept the risk for the organization — the role of the general counsel and their staff is to coach the organization on the legal risk it’s exposed to and what it should do to minimize its legal risk. The decision lies with the business. The business needs to make the decision because it has responsibility for revenue generation.
Similarly, information security leadership should assume the responsibility of creating a strong framework and helping the business to understand its security issues and how to address them. The decision on which security risks to accept should lie with the business, not the CISO. This underscores the value of proper information security governance.
Once the executive team and board grasp the significance of security for the business, it becomes practicable to form a governance committee. The first steps involve securing the participation of senior executives who can make decisions for the organization. This committee typically includes leaders from human resources, legal, compliance, audit, technology, and the business.
The next step involves creating a charter for the committee so its mission and landmark details — who should be involved, who the committee reports to, how often they should meet — remains clear. The governance committee should approve the information security strategy, policies and be a first decision point for significant issues, such as how to respond to a denial of service attack.
An integral part of establishing the governance foundation also involves the creation of metrics that enable the organization to evaluate if the information security function is fulfilling its mission.
Most areas in an organization have defined metrics to help executives understand how they align with their objectives. Questions the governance committee should ask include:
Using a comprehensive framework, such as ISO 27000 or the NIST Cybersecurity Framework, can help an organization assess their security posture and whether they’ve taken a comprehensive approach to protect itself.
Creating an effective governance framework yields numerous benefits. By involving the right people in the organization, the information security team can accomplish its mission, align itself with both business and technology strategy and contribute to building a resilient organization. With the right leadership, communication and governance, information security can evolve into a strategic asset for the organization.
1. Information Security Governance: Guidance For Boards of Directors and Executive Management, 2nd Edition, IT Governance Institute, ISBN 1-933284-29-3.
2. Broad New Hacking Attack Detected, Siobhan Gorman, Wall Street Journal, February 18, 2010.