Not long ago, the smart people at Carnegie Mellon University's CyLab security research and education center wrote
a report on the disconnect between senior management, boards of directors, and those responsible for information security in the enterprise. The results were disturbing because they pointed out how little oversight executives and board members have over security, how unaware directors are of security and privacy budgets, and roles and responsibilities.
Among a long list of recommendations coming out of the CyLab Governance and Enterprise Security report was the need to include IT risk in an enterprise risk management program, segregate responsibility for security oversight away from audit committees, and establish a separate risk committee that assesses enterprise risks, including IT risks.
Also tucked away on the list was the suggestion to establish a cross-organizational entity that meets regularly to discuss security and privacy issues and include on that team, among others, legal, finance, HR, public relations, the CIO and security and privacy management.
Way ahead of ya.
Our annual year-end, new-year kickoff issue looks at what it takes to establish what we're calling a security steering committee, and how those committee members view their roles on the committee and how they view you. Read on if you dare.
For some it will be an interesting reality check; for others, affirmation that you're on the right track. One thing should stay with you: A well-orchestrated committee can do more for the integration of security into lines of business than any policy or process you can develop.
Not only do these committees afford you the opportunity to talk out security and privacy issues and explore compliance implications of new projects and technology purchases, but they provide an important forum for business line managers, security officers and executives to get on the same page. They will simplify procurement processes, ease anxiety over budget requests and cut hassle and haggle next time someone in a particular business unit gripes over a new security mandate.
Steering committees aren't easy ventures to pull off. Kirk Bailey, University ofWashington CISO, dedicates significant time to the committee to keep it vital. Kirk says it takes "a lot of coffee and a lot of side conversations," but the payoff is enormous.
Connect with management and encourage them to participate, and don't sweat the type of executive you recruit at first; VPs aren't always the best conduit to get your objectives accomplished. Business unit liaisons need only to be interested in security and be willing to evangelize for you. Don't miss out on the opportunity you have to educate your HR and PR people about security. Spend the first few meetings talking about how risk impacts business; this groundwork will help them make informed decisions about security later on.
But it's not all roses. There are common mistakes.
Whatever your do, don't make it a status meeting. Forrester Research principal analyst Khalid Kark implores you: Don't talk about the latest round of critical Patch Tuesday fixes or the latest spammer techniques. You set the agenda; make sure it's strategic and use it to guide decisions based on risks that are acceptable to the company. Otherwise, before you know it, your VPs will drop off, and they'll start sending their reps, and pretty soon their reps will start sending their reps, and your committee is just another Outlook invite.
"It's a great idea to get conversations about security going," Kark says. "You've got to know what you're doing and be savvy about a steering committee. It sounds simple to do one of these, but it requires a lot of backend effort and a lot of framing up front to succeed."
Michael S. Mimoso is editor of Information Security. Send comments on this column to firstname.lastname@example.org.