There are many benefits to having a security governance committee in your organization. In this blog, we examine some of those benefits, along with what it takes to establish the committee and where to find help if you need it.
In its broadest sense, governance is defined as the decisions and actions of the people who run a nation, a city, a business, a school, a program. Other terms, or synonyms, for governance, include administration, direction, and guidance.
Security governance is a process for overseeing the cybersecurity teams who are responsible for mitigating an organization’s business risks, according to the Gartner Glossary. It involves establishing and maintaining a security framework to ensure that security strategies, including information security strategies, are aligned with and support the objectives of the organization. The security framework also ensures that they are consistent with applicable laws and regulations, according to the National Institute of Standards and Technology (NIST).
Security teams do not operate unilaterally. Every security program requires governance. Whether in a corporation or agency, educational institution or healthcare organization, retail chain or wholesaler, manufacturer or distributor, a security program has many moving parts. A security governance program provides valuable high-level, authoritative attention and collaborative guidance for the organization’s security program.
And at the center of an effective security governance program is the security governance committee, established with a formal role and defined processes for governing your organization's information security program. The main responsibilities of this committee are three-fold.
Any effective security governance committee is responsible for three primary roles, as follows:
In pursuing these objectives, the security governance committee provides high-level leadership and aid to the organization in enabling effective security and acceptable business risk.
Your organization will enjoy a number of benefits by establishing a committee dedicated to governing your security program. These include:
There are other benefits as well. Can you think of one or two we haven’t mentioned?
Committee Status. Your security governance committee it is not and should not become an information technology (IT) governance committee. IT is a subset of security, not the other way around. Security is a significant business risk and top-level management concern—not just an IT problem.
Committee Membership. To enable the best strategic decision-making possible, make the security governance committee as inclusive as it needs to be. Roles appropriate for committee members include the chief information security officer, IT director, and corporate risk manager.
Directors of the organization’s functional lines should be included, such as human resources, accounting, and finance, research and development, production, marketing. If the organization has satellite locations, it’s appropriate to include regional directors and other key field managers. The point is to have thorough representation at high-enough levels.
Committee Agility. Be prepared to adjust membership as security priorities shift over time, to ensure appropriate stakeholders are engaged. This will ensure the committee remains relevant and timely, and also help to effectively target security spending.
Committee Management. Plan to meet quarterly at a minimum. It’s important to communicate the purpose of the committee, its corporate charter, and its membership. Responsibilities should be assigned as evenly as feasible among members, and all should be encouraged to actively engage. Use agendas to keep your meetings focused and adhere to them to avoid losing the attention of your busy committee members. And when communicating with committee members, make every effort to be even-handed and speak in business terms as you moderate the committee toward effective solutions and decisions.
A security governance committee is at the heart of any effective security program. It helps to integrate all aspects of an organization’s security in a cohesive, holistic manner to enable optimal decision-making. As such, it is vitally important to the security of your organization at every level.
Many organizations understand the need for a security governance committee but are unable to dedicate the resources to establishing the committee, developing the charter, and managing the committee so it can do its job. Outsourcing these tasks to an expert is a popular and viable option.
In particular, a Virtual Chief Information Security Officer (VCISO) is an ideal catalyst to ensure that the security governance committee is properly formed and understands its responsibilities to the organization and its various stakeholders. The VCISO will assist in developing your committee charter, outlining and assigning responsibilities, and guiding and advising in other ways.
In general terms, governance is the act of administering, directing or guiding a program, institution, city, or nation. Security governance is the process of overseeing the security and cybersecurity teams who are responsible for mitigating an organization’s business risks.
Security teams do not operate unilaterally. Security programs have many moving parts and require high-level oversight. A security governance program provides authoritative attention and collaborative guidance across those moving parts to ensure an integrated, holistic approach to security for the entire organization.
At the center of a security governance program is the security governance committee, whose roles encompass information security, regulatory compliance, and collaboration and steering. Without such a committee, an organization’s security program is likely to lack focus and management support and result in sub-optimal decision-making.