Information Security Governance

Jun 12, 2023
7 minutes

Protecting information consistently across the enterprise means having the right people at the right level engaged so that the information security program can align with business and technology strategy. Without the participation of the right people, it becomes difficult to maintain the proper information security budget and staffing levels.

In this post, I’ll cover the basic concept of governance, as well as why it’s important, who should be involved and how a governance framework should be executed and maintained.

Engaging the Enterprise in a Strategic Discussion

While information security leaders often make decisions based on their experience, it’s equally important to involve the enterprise in strategic discussions. Many information security leaders find this task daunting.

What does the CEO know about security? How about the general counsel, CFO, head of compliance or board of directors? The short answer is, they probably know little. That’s reasonable, as it falls outside their direct responsibilities. Nonetheless, the executive team and board play pivotal roles as key stakeholders and significantly influence the investment in protecting information.

More importantly, the CEO is responsible for executing the corporation's strategic plan, while the CFO oversees financial plans, the general counsel provides guidance on legal risks, the head of compliance ensures regulatory compliance and the board of directors oversees the organization's operations.

To benefit from their positions and perspectives, the CISO needs to engage the executive team and board. By providing oversight and guidance for the information security program, they can effectively protect the enterprise at the right level.

The Importance of Technology Infrastructure and Security

Although it may seem like a basic concept, most businesses depend on their technology infrastructure to run their business. Without this infrastructure, businesses would come to a halt. At the same time, the technology infrastructure in most companies has systemic security issues that go unaddressed. These security issues create risks that make it easy to disrupt services or facilitate intellectual property theft.

Benefits of Information Security Governance

Robust information security governance offers enterprises significant advantages. These include:

  1. Improving trust in customer relationships
  2. Protecting the organization’s reputation
  3. Decreasing likelihood of regulatory and privacy violations
  4. Providing greater confidence when interacting with business partners
  5. Enabling new and better ways to process electronic transactions
  6. Reducing operational costs by providing predictable outcomes — mitigating risk factors that may interrupt the process1

Information security leaders need to engage boards of directors and executive teams so these stakeholders can understand the issues and provide guidance and support for the information security program.

Creating a Governance Program

An effective approach to establishing a governance program involves building and maintaining relationships with the executive team through one-on-one conversations. This aspect is often overlooked by information security leaders.

Ongoing dialogues with the executive team members serve as the foundation for long-term success and optimal alignment with business and technology strategies. In many organizations, security lacks visibility with the executive team and board — but having direct and recurring conversations with these individuals bridges the gap.

Communicating Security's Impact to Stakeholders

Many people think that the executive team needs to learn information security’s vocabulary, when the reverse is true. To secure the necessary support, the executive team and board of directors must understand how an investment in security aligns with their areas of responsibility.

When speaking to a CEO, for example, you need to communicate how security impacts the way they run their business and how it can create strategic advantages. Executed properly, security becomes one ingredient that contributes to creating a resilient technology infrastructure. If the technology infrastructure is resilient, the business can rely on it to support its basic business functions.

The CFO needs to understand how security impacts the top and bottom-line. When customers perceive an organization as trustworthy, they have the confidence to do business with them. This is particularly important for companies that depend on digital assets for a large percentage of their revenues. A strategic, predictable investment with the proper underlying processes helps to reduce bottom-line costs.

Integrating Security into Business Processes

To emphasize the importance of integrating security into basic business processes, consider the following analogy: When an automobile rolls off the assembly line, the manufacturing process doesn't include a separate step for adding quality. Instead, if quality is taken seriously, it becomes an integrated aspect of the manufacturing.

Failure to achieve the desired level of quality leads to product defects. While recalls can be expensive, the cost of damaging a company's reputation and image is greater. Similarly, security must be integrated into fundamental business processes to ensure proper protection.

In application development, it’s nearly impossible to use proper hygiene to achieve the same outcome as if security had been applied throughout the process. Security must be integrated into the application development lifecycle and into infrastructure management. This is true for other technology areas and for basic business functions. People need to understand how they need to protect information as part of their daily routines.

Managing Security Breaches and Risks

Not all security breaches can be prevented.2 The executive team and board need to hear this message. Companies and governments are compromised regularly around the globe. It happens.

Think of the general counsel’s role as a model for information security leadership. The general counsel can’t prevent lawsuits. To say otherwise would be foolish. The general counsel’s first order of business is to create a robust legal framework that minimizes legal risk, settlements, and related costs.

The general counsel doesn’t accept the risk for the organization — the role of the general counsel and their staff is to coach the organization on the legal risk it’s exposed to and what it should do to minimize its legal risk. The decision lies with the business. The business needs to make the decision because it has responsibility for revenue generation.

Similarly, information security leadership should assume the responsibility of creating a strong framework and helping the business to understand its security issues and how to address them. The decision on which security risks to accept should lie with the business, not the CISO. This underscores the value of proper information security governance.

Establishing a Governance Committee

Once the executive team and board grasp the significance of security for the business, it becomes practicable to form a governance committee. The first steps involve securing the participation of senior executives who can make decisions for the organization. This committee typically includes leaders from human resources, legal, compliance, audit, technology, and the business.

The next step involves creating a charter for the committee so its mission and landmark details — who should be involved, who the committee reports to, how often they should meet — remains clear. The governance committee should approve the information security strategy, policies and be a first decision point for significant issues, such as how to respond to a denial of service attack.

An integral part of establishing the governance foundation also involves the creation of metrics that enable the organization to evaluate if the information security function is fulfilling its mission.

Most areas in an organization have defined metrics to help executives understand how they align with their objectives. Questions the governance committee should ask include:

  • Do we have the right staffing levels?
  • Are policies and standards adequate and updated?
  • Have we made a sufficient investment in security technologies?
  • Are we addressing privacy issues?
  • Are we in compliance with regulatory frameworks, such as PCI, Sarbanes-Oxley, HIPAA, FFIEC and FISMA?
  • Are we exposing ourselves to undue risk?

Using a comprehensive framework, such as ISO 27000 or the NIST Cybersecurity Framework, can help an organization assess their security posture and whether they’ve taken a comprehensive approach to protect itself.

The Benefits of a Proper Governance Framework

Creating an effective governance framework yields numerous benefits. By involving the right people in the organization, the information security team can accomplish its mission, align itself with both business and technology strategy and contribute to building a resilient organization. With the right leadership, communication and governance, information security can evolve into a strategic asset for the organization.



1. Information Security Governance: Guidance For Boards of Directors and Executive Management, 2nd Edition, IT Governance Institute, ISBN 1-933284-29-3.

2. Broad New Hacking Attack Detected, Siobhan Gorman, Wall Street Journal, February 18, 2010.

Subscribe to Cloud Native Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.