There are many benefits to having a security governance committee in your organization. In this blog, we examine some of those benefits, along with what it takes to establish the committee and where to find help if you need it.
Governance Defined in Context
In its broadest sense, governance is defined as the decisions and actions of the people who run a nation, a city, a business, a school, a program. Other terms, or synonyms, for governance, include administration, direction, and guidance.
In business, corporate governance is the system of rules, practices, and processes by which a firm is directed and controlled, according to Investopedia. Governance involves balancing the interests of a company's multiple stakeholders, from shareholders and executives to customers and suppliers to financiers and regulators.
Security governance is a process for overseeing the cybersecurity teams who are responsible for mitigating an organization’s business risks, according to the Gartner Glossary. It involves establishing and maintaining a security framework to ensure that security strategies, including information security strategies, are aligned with and support the objectives of the organization. The security framework also ensures that they are consistent with applicable laws and regulations, according to the National Institute of Standards and Technology (NIST).
The Need for Security Governance
Security teams do not operate unilaterally. Every security program requires governance. Whether in a corporation or agency, educational institution or healthcare organization, retail chain or wholesaler, manufacturer or distributor, a security program has many moving parts. A security governance program provides valuable high-level, authoritative attention and collaborative guidance for the organization’s security program.
And at the center of an effective security governance program is the security governance committee, established with a formal role and defined processes for governing your organization's information security program. The main responsibilities of this committee are three-fold.
Role of the Security Governance Committee
Any effective security governance committee is responsible for three primary roles, as follows:
- Information Security. Governance committee responsibilities begin with the development and maintenance of appropriate information security programs for the organization. These may encompass electronic data security, cloud security, and physical security programs.
- Regulatory Compliance. The security governance committee is responsible for understanding information security regulations that apply to your industry, and for documenting ownership of regulatory compliance within your organization. The committee ensures that regulatory requirements are addressed through the development, execution, and maintenance of company-wide best practices for information security, as well as for third-party vendor information security.
- Collaboration and Steering. The committee also serves as a forum for discussions, updates, and upgrades related to information security initiatives, security policies and procedures, security controls, security metrics, and KPIs, current security assessments and investigations, data security risks, and strategic security issues.
In pursuing these objectives, the security governance committee provides high-level leadership and aid to the organization in enabling effective security and acceptable business risk.
Benefits of a Security Governance Committee
Your organization will enjoy a number of benefits by establishing a committee dedicated to governing your security program. These include:
- Effectively managing your organization’s information security risks, including internal and external threats and vulnerabilities.
- Enhancing security compliance initiatives to meet all regulatory requirements that apply to your industry and your organization.
- Putting your company in the best position to respond successfully to advances in technology, shifts in security regulations and best practices, and changes in key security leadership.
- Enabling your security budget to be allocated intelligently and optimally, based on a big-picture view of the organization’s security needs and priorities.
There are other benefits as well. Can you think of one or two we haven’t mentioned?
Considerations When Forming Your Committee
Committee Status. Your security governance committee it is not and should not become an information technology (IT) governance committee. IT is a subset of security, not the other way around. Security is a significant business risk and top-level management concern—not just an IT problem.
Committee Membership. To enable the best strategic decision-making possible, make the security governance committee as inclusive as it needs to be. Roles appropriate for committee members include the chief information security officer, IT director, and corporate risk manager.
Directors of the organization’s functional lines should be included, such as human resources, accounting, and finance, research and development, production, marketing. If the organization has satellite locations, it’s appropriate to include regional directors and other key field managers. The point is to have thorough representation at high-enough levels.
Committee Agility. Be prepared to adjust membership as security priorities shift over time, to ensure appropriate stakeholders are engaged. This will ensure the committee remains relevant and timely, and also help to effectively target security spending.
Committee Management. Plan to meet quarterly at a minimum. It’s important to communicate the purpose of the committee, its corporate charter, and its membership. Responsibilities should be assigned as evenly as feasible among members, and all should be encouraged to actively engage. Use agendas to keep your meetings focused and adhere to them to avoid losing the attention of your busy committee members. And when communicating with committee members, make every effort to be even-handed and speak in business terms as you moderate the committee toward effective solutions and decisions.
A security governance committee is at the heart of any effective security program. It helps to integrate all aspects of an organization’s security in a cohesive, holistic manner to enable optimal decision-making. As such, it is vitally important to the security of your organization at every level.
Many organizations understand the need for a security governance committee but are unable to dedicate the resources to establishing the committee, developing the charter, and managing the committee so it can do its job. Outsourcing these tasks to an expert is a popular and viable option.
In particular, a Virtual Chief Information Security Officer (VCISO) is an ideal catalyst to ensure that the security governance committee is properly formed and understands its responsibilities to the organization and its various stakeholders. The VCISO will assist in developing your committee charter, outlining and assigning responsibilities, and guiding and advising in other ways.
In general terms, governance is the act of administering, directing or guiding a program, institution, city, or nation. Security governance is the process of overseeing the security and cybersecurity teams who are responsible for mitigating an organization’s business risks.
Security teams do not operate unilaterally. Security programs have many moving parts and require high-level oversight. A security governance program provides authoritative attention and collaborative guidance across those moving parts to ensure an integrated, holistic approach to security for the entire organization.
At the center of a security governance program is the security governance committee, whose roles encompass information security, regulatory compliance, and collaboration and steering. Without such a committee, an organization’s security program is likely to lack focus and management support and result in sub-optimal decision-making.