Just as a house with shoddy foundations will never be secure, an information security programme without empowered and effective governance will only lead to chaos. A key purpose of information security governance is to ensure that the information security programme aligns with the goals and objectives of the business, and can be defined as the collection of top-down activities intended to control the security organisation (and security-related activities in every part of the organisation) from a strategic perspective.
A Secure Business is a Successful Business
As commonly assumed by outsiders, the purpose of information security is not to make life unnecessarily difficult, lock everything down and present barriers at every step. By doing so, no business would be able to function effectively. Instead, information security governance is about facilitating the organisation’s activities while protecting it from a hostile world replete with numerous threats and risks. A breach leading to a loss of the confidentiality, integrity or availability of valuable data, can all lead to significant financial losses — in some cases being so damaging as to put an organisation out of business or setting it back months or years. The job of information security governance is to communicate these risks — and any shortcomings in addressing them — to senior management and stakeholders across the business. Without this key line of communication a silo is created in which information security is misunderstood across the business and insufficient resources are allocated to address genuine threats and risks.
Security Tools Require Effective Governance
A common approach in some organisations is to make up for inadequate governance by purchasing multiple security tools, often without necessary reference to needs and resources. These can be vulnerability scanners, a SIEM and other threat detection and response software. As a box ticking exercise, having these tools in place might look good, but not having the governance to effectively manage and monitor these tools within a broader strategic approach, only adds to the confusion and noise as a palliative solution. If an organisation has no documented incident response process (with assigned responsibilities), and has failed to carry out incident response training exercises in the last twelve months, then it should come as no surprise if in the event of a genuine incident it ends up beset by confusion and a response that is far from optimal.
Support and Alignment with the Business
Where security governance activities are effective, information security will be in a position to support the business in areas such as:
- Risk management
- Process improvement
- Event identification
- Incident response
- Improved compliance
- Business continuity and disaster recovery planning
- Resource management
- Improved IT governance
When activities such as these are managed through a strong governance foundation it leads to increased trust from customers, suppliers, and partners.
In order to align itself with the business the information security programme should also be fully aware of and adapt to all of the following:
- Asset values
- Risk tolerance
- Legal obligations
- Market conditions
Healthy security governance should lead to outputs that include:
- Programme and project management
- Metrics and reporting
Strong information security governance ensures that the organisation itself, as well as people, process, culture and technology — including the dynamic interconnections between these — are all holistically addressed.
Through measures such as policies, standards, guidelines, process documentation, resource allocation and compliance, management can ensure that a solid foundation is in place to achieve desired information security outcomes, and this is all the more important now in a world where organisations at all levels and industries are increasingly dependent on their information and information systems.