On Good Governance: Security and Your Bottom Line
It’s no mystery, securing our information security assets can be an expensive, confusing, and laborious task. What can be a mystery, however, is how one navigates the complex relationship between those accountable for information security and those in charge of its strategy and implementation. The dynamics between these relationships, adjusting budgets to account for information security, and identifying the “who does what” in an information security program can make or break any information security strategy. So, let’s break down some of these concepts and see how quality governance in your information security program can align with your organization’s bottom line.
Who is in Charge Here?
You can’t explore today’s headlines without hearing about an information security breach in either the public or private sectors. We read about the type of attack that occurred, the resulting damages, and pursuant litigation. What we don't usually hear about are the terminations and fractured reputations of those senior leaders who are accountable when breaches occur. But, which group of individuals is accountable in the event of a cyber attack? The answer is far less complicated than you might think – your board of directors. It’s the responsibility of your board to be aware of your organization’s information assets, the risks to those assets and their criticality to ongoing business operations. To have an effective information security program and strategy, enterprise-level security expectations should be established at the board level.
A sure way to ensure a failing information security program is to have a security apparatus that is driven from the bottom up. So why not the bottom up strategy? Surely, privacy officers, business continuity managers, and heads of your information technology departments are better suited to understand the technical minutiae and nuance of your information risk. Well, while that might be true, the purview of these positions (regardless of how your specific organization defines them) is one that ultimately seeks to inform the board and C-suites on how their governance strategy is succeeding or failing and impacting business goals and objectives. In short, they aren’t accountable if the information security strategy is ineffective, they are responsible for helping execute the strategy at the operational level. If accountability for strategy is left to this cadre of individuals an information security strategy will be undoubtedly be disconnected by department, operationally fractured, and will more than likely not align with the overall business objectives.
A Top-Down Strategy
Since the board of directors is accountable for your information security strategy, it is important that they remain apprised of how best to provide oversight of the activities and staff that execute that strategy. Here are some best practices to lead your organization's information security governance successfully:
Strategic Alignment – For successful information security governance to mature into subsequent successful processes, all aspects of the security strategy must support the bottom line of the business. A simple way to put this is that your security requirements must be driven by enterprise requirements. Any investments in security solutions and information security must align with the organization’s enterprise strategy, operations, culture, and organizational structure.
Knowing Your Risk – A critical element to any information security program is being well-acquainted with your organization’s biggest threats and vulnerabilities – your risks. Good risk management will oversee the efforts to mitigate and reduce potential impacts to information resources to an acceptable level. However, for risks to be adequately communicated throughout the organization, they must be communicated in such a way that is also easy to understand. What is the likelihood of a certain risk occurring? What will the impact be? Ensure your organization has data (aka metrics) do effectively answer these questions.
Asset Valuation – A central component to knowing your risk includes knowing what your assets are worth. Your assets can range from people, hardware, and software, it all depends on where your organization is attempting to mitigate its risk through its information security program. The bottom line here is that to understand impact, we have to be able to assign values to our organization’s assets. These figures can clear up the ambiguity when deciding how to mitigate risks best.
Delivering Value – Once your organization’s security strategy is aligned with enterprise objectives, and your assets have been valued to help understand your risk strategy, it’s important to make decisions on mitigation tools that optimize security outcomes. Your security solutions need to be adding value to the business rather than merely maximizing security to the point to wasteful spending.
The takeaway here remains that your information security program must support the mission of the organization efficiently and cost-effectively. However, while senior business leaders will have to delegate responsibilities to its employees to execute this strategy, they are the ones accountable for the success or failure of that strategy.