According to a very recent report by the Identity Theft Resource Center, the first half of 2015 alone saw 400 publicized security breaches with over 117 million records exposed. While most organization have ongoing initiatives to keep their names off the list, many are misguided in their approach – making the effort almost entirely an IT project.
Numerous studies show a direct correlation between the maturity of an organization’s security profile and the level of engagement and understanding by its board and/or executive management. The IT Governance Institute in its Board Briefing on IT Governance, 2nd Edition, states: “Security governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.”
In comparing the critical differences with respect to the effectiveness of a company’s information security governance program, published author, Shon Harris, highlights the following distinctions common to successful organizations:
- Board members understand that information security is critical to the company and requires regular updates on performance and security incidents
- The officers and business unit managers participate in a risk management committee that meets regularly on the topic of information security
- Executive management sets acceptable risk levels which are the basis for the company’s security policies and related practices
- Executive management holds business unit managers responsible for carrying out risk management activities for their specific business units
- Critical business processes are documented along with the risks that are inherent in the different steps within the business processes
- Employees are held accountable for any security breaches they participate in, either maliciously or accidentally
- Security products, managed services and consultants are purchased and deployed in an informed manner and are regularly reviewed
- The organization regularly reviews its business and security processes with the goal of continuous improvement
Engaging the C-Suite and board in the complexities and efforts of the entire organization, including IT is critical to managing an effective risk management program.