6 principles for building engaged security governance

The need for engaged governance

Different organizations have different levels of security governance maturity. Some might be at the low end, where only the security function is concerned with governance and the rest of the company doesn't acknowledge its presence. Others might be at the higher end, where governance helps shape the entire organization, its culture, its decisions and the way business is conducted. Most organizations probably fall somewhere in the middle. They see potential in governance for guidance and to help reassure the business, enabling them to face risks head on and prosper despite them.

Regardless of where one is on the maturity spectrum, good security governance is difficult to achieve. Organizations are dynamic entities, trying to survive in an uncertain and unpredictable world, with many conflicting tactical and strategic priorities. It's also challenging for security practitioners to take governance to a state where it can evolve easily.

This is where "engaged governance" comes in. Engaged governance is a proactive and continuous effort to align security to business strategy. This means security practitioners must do the following:

• Make a regular effort to understand how the organization works -- its evolving goals, mission, purpose, values.
• Collaborate with stakeholders.

• Draw up plans and policies that serve the broader strategy.
• Deploy programs that embed appropriate secure behaviors.

Principles for building engaged governance

Six core components can help nurture and develop maturity in a security governance program.

1. Understand the organizational context

No governance strategy can be built without knowing where the organization is currently and where it is going. Start by understanding the organization's core business practices, its product portfolio, customers, geographical footprint, and ethos and culture -- all from a security perspective. This should help answer key security-related questions, such as who does what, why they do it and for whom. Next gain a better understanding of the organizational structure and current security standards, guidelines, regulations and frameworks.

2. Learn how information security functions operate

Get a better grasp of how security functions operate. Take a comprehensive review of the security policies in place and how effective they are. Understand the current state of security procedures, projects and activities, tests and exercises as well as the current level of information security controls and future roadmap. Assess the skills and capabilities of security practitioners and their responsibilities, and benchmark it with best practices in the industry to expose the gaps in existing capabilities and activities.

3. Outline an information security governance framework

The governance document must highlight in high-level language the aim of the governance program and its relationship with business risk. It should outline the steps taken to fulfill security goals with the roles and responsibilities of the security function as well as the support it will extend to the board and other executive teams. It should define what information security will do, the culture it is trying to build and the path it is taking to achieve it.

4. Translate strategy into actions and controls

Once a governance strategy is in place, build a detailed list of methods, policies, standards and procedures through which information security strategy will be fulfilled and enacted. Detail the accountability and expectations from all individuals across the organization -- not just the security team -- and the responsibilities information security will take on. Policies should address what the business must do to protect itself and outline steps for incident response and mitigation in case the organization experiences a breach or cyber attack.

5. Secure senior management blessings

Effective governance requires significant backing from the board and other senior executives. Security teams can toil endlessly, but without senior-level buy-in, this work may be ignored and have little effect on the organization and its culture. Governance requires a visible leader -- someone in the driver's seat who evangelizes governance and its potential benefits. Create a steering committee or a forum attended regularly by senior managers, including IT, marketing, legal, data protection, procurement, operations and other key stakeholders.

6. Influence awareness and behavior

Deploy a comprehensive and continuous training program that embeds more secure ways of working across the organization. This helps reduce the number of complaints the security team receives and identify gaps that exist in the current governance program. As people begin to appreciate what security governance entails, it will positively influence the security culture of the organization.

Engaged governance is an ongoing process, not a one-off corporate initiative. It makes organizations more accountable, gives organizations greater visibility of security activities across the enterprise, and makes the business less prone to cyber attacks and breaches. In the long run it will help the business become more resilient and set the stage for long-term growth.

About the author

Steve Durbin is chief executive of the Information Security Forum (ISF), an independent, not-for-profit association dedicated to investigating, clarifying and resolving key issues in information security and risk management by developing best practice methodologies, processes and solutions that meet the business needs of its members. ISF membership comprises the Fortune 500 and Forbes 2000.