This article can also be found in the Premium Editorial Download "Information Security magazine: How to be successful with your security steering committee."
Download it now to read this article plus other related content.
"The PASS Council serves to promote security in very advantageous ways, especially if you're doing it in language [business leaders] understand," Bailey says. "PASS helped me produce, as a product, a risk picture, a strategic plan associated with the risk picture, a budget associated with the strategic plan, and ongoing reporting to management with their approval and endorsement. It's hard for anybody not to listen to what I'm asking for when it represents the institutional risk officers behind it. How could you operate without it?"
It's crucial too to keep these meetings strategic and about mitigating risk to individual business units or the enterprise overall, otherwise interest and attendance will wane and the effectiveness of the group ends.
|Failure is not an option|
Here are eight security steering commitee best practices to remember to keep your security steering committee afloat for the long haul.
1. Get the right buy-in from security, executives and business leaders that they will participate.
2. Don't get hung up on titles. Look for those who are interested in and could evangelize security or act as a liaison between security and the business.
3. Educate your committee members on how to think about risk and how it applies to their business; in turn they'll be able to make useful decisions.
4. Stay on topic. Don't talk about spam, vulnerabilities or patching. Keep meetings strategic and think about how you can steer the risk appetite of an organization.
5. Bring metrics to the table. This can't be a status meeting; you need metrics to be able to answer questions and make decisions based on historical data.
6. Charter the committee. Get formal sign-off from executive management and formalize roles and responsibilities for committee members.
7. Keep membership consistent and meet regularly.
8. Set the agenda and send out materials in advance.
SOURCES: Khalid Kark, Forrester Research; Kirk Bailey, Timothy McKnight, Jerry Freese.
This was first published in January 2009