Six Principles for Building Engaged Security Governance
Security governance isn't enough. Enter engaged security governance - an ongoing process that aligns business strategy with security across an organisation.
Information security governance is a system that helps organise and direct dedicated security resources. It influences how goals are set and achieved, how cyber risks are monitored and assessed, and how security performance is evaluated. Security governance also encompasses the history, structure, internal politics and culture of an organisation.
In today's organisations,?security governance?isn't enough. They need "engaged governance." Learn about engaged governance and six principles that organisations should implement.
The need for engaged governance
Different organisations have different levels of security governance maturity. Some might be at the low end, where only the security function is concerned with governance and the rest of the company doesn't acknowledge its presence. Others might be at the higher end, where governance helps shape the entire organisation, its culture, its decisions and the way business is conducted. Most organisations probably fall somewhere in the middle. They see potential in governance for guidance and to help reassure the business, enabling them to face risks head on and prosper despite them.
Regardless of where one is on the maturity spectrum, good security governance is difficult to achieve. Organisations are dynamic entities, trying to survive in an uncertain and unpredictable world, with many conflicting tactical and strategic priorities. It's also challenging for security practitioners to take governance to a state where it can evolve easily.
This is where "engaged governance" comes in. Engaged governance is a proactive and continuous effort to align security to business strategy. This means security practitioners must do the following:
Principles for building engaged governance
1. Understand the organisational context
No governance strategy can be built without knowing where the organisation is currently and where it is going. Start by understanding the organisation's core business practices, its product portfolio, customers, geographical footprint, and ethos and culture - all from a security perspective. This should help answer key security-related questions, such as who does what, why they do it and for whom. Next gain a better understanding of the organisational structure and current security standards, guidelines, regulations and frameworks.
2. Learn how information security functions operate
Get a better grasp of how security functions operate. Take a comprehensive review of the?security policies?in place and how effective they are. Understand the current state of security procedures, projects and activities, tests and exercises as well as the current level of information security controls and future roadmap. Assess the skills and capabilities of security practitioners and their responsibilities, and benchmark it with best practices in the industry to expose the gaps in existing capabilities and activities.
领英推荐
3. Outline an information security governance framework
The governance document must highlight in high-level language the aim of the governance program and its relationship with?business risk. It should outline the steps taken to fulfill security goals with the roles and responsibilities of the security function as well as the support it will extend to the board and other executive teams. It should define what information security will do, the culture it is trying to build and the path it is taking to achieve it.
4. Translate strategy into actions and controls
Once a governance strategy is in place, build a detailed list of methods, policies, standards and procedures through which?information security strategy?will be fulfilled and enacted. Detail the accountability and expectations from all individuals across the organisation - not just the security team -- and the responsibilities information security will take on. Policies should address what the business must do to protect itself and outline steps for incident response and mitigation in case the organisation experiences a breach or cyber attack.
5. Secure senior management blessings
Effective governance requires significant backing from the board and other senior executives. Security teams can toil endlessly, but without?senior-level buy-in, this work may be ignored and have little effect on the organisation and its culture. Governance requires a visible leader - someone in the driver's seat who evangelises governance and its potential benefits. Create a steering committee or a forum attended regularly by senior managers, including IT, marketing, legal, data protection, procurement, operations and other key stakeholders.
6. Influence awareness and behaviour
Deploy a comprehensive and?continuous training program?that embeds more secure ways of working across the organisation. This helps reduce the number of complaints the security team receives and identifies gaps that exist in the current governance program. As people begin to appreciate what security governance entails, it will positively influence the security culture of the organisation.
Engaged governance is an ongoing process, not a one-off corporate initiative. It makes organisations more accountable, gives organisations greater visibility of security activities across the enterprise, and makes the business less prone to cyber attacks and breaches. In the long run it will help the business become more resilient and set the stage for long-term growth.