Lance Bellers - Fotolia

The importance of an IT security governance body

An IT security governance board is a key feature in security budgeting, but who makes up this body? Expert Joseph Granneman outlines the best structure for security governance boards.

To get better value when spending on security, my organization is planning to create an IT security governance body to initially debate which risks are the most prevalent for the business, and to then allocate our security budget accordingly. Do you have any opinion on who should sit on this board and how they should go about defining risk?

The one fact that haunts all information security professionals is that there will never be enough resources to mitigate every potential security risk. It is the CISO's job to make these critical decisions about where to allocate the organization's limited resources for maximum risk mitigation. This is the theory, but the practical application can be even more difficult as the balance between organizational risk and available resources continues to shift. It is extremely important to develop an IT security governance body that helps prioritize risks and build support for when more resources are required to protect the organization. 

The structure of the security governance body can vary widely depending on the structure of the organization. However, it is common that representatives come from these organizational departments: legal, human resources, compliance, internal audit as well as information technology and security. This helps create an environment where every department feels it has a role in creating security policy. The CISO can use this governance body as a platform to discuss risks and build support to move difficult information security decisions forward. The governance body helps the CISO preserve political capital and increase political influence, which is critical in driving information security policy.

Once the governance body is formed, the next challenge for the CISO is to present information security risks to this board. Usually, the best approach is to start by classifying the organizational information assets and applying valuation for their protection. I prefer the OCTAVE method, but there are many different models available. Using a model allows the CISO to present nontechnical risk information to the governance body in a format that they will understand. For example, the value of the customer information inside of the CRM system or the financial information stored within the ERP system will be available. The CISO can then present the risks to these information systems and the resources necessary to mitigate them to the governance body. The governance body may not agree with where resources are being deployed and offer further input into the allocation of limited resources. 

The importance of an information security governance committee cannot be understated. It is one of the first things that a CISO should establish at a new position. There will never be enough monetary or organizational resources to mitigate every potential risk to our information systems. A governance body with representation from a variety of nontechnical departments helps make difficult security policy decisions and gets the best results from limited resources. It also helps spread information security awareness throughout the organization and dramatically increases the effectiveness of the CISO.

Ask the Expert
Have questions about enterprise security management? Send them via email today! (All questions are anonymous.)

Next Steps

For more on information security governance, check out this learning guide.

This was last published in September 2014

Dig Deeper on Information security program management