”Security governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly." IT Governance Institute in its Board Briefing on IT Governance, 2nd Edition
This definition is correct, but remains at a high level that is difficult to understand and implement. This definition is more like a strategic policy statement, and the real skill is to properly interpret and transform it into meaningful tactical and operational functions and practices.
Let's compare two companies. Company A has an effective security governance program in place and Company B does not. Now, to the untrained eye it would seem as though Company A and B are equal in their security practices because they both have security policies, procedures, standards, the same security technology controls (firewalls, IDS, identity management, etc.), and they both have security team runs by their security officers. You may think, "Man, these two companies are on the ball and are evolved in their security program." But if you look closer you will see the critical differences.
|Board members understand that information security is critical to the company and demand to be updated quarterly on security performance and breaches.
||Board members do not understand that information security is in their realm of responsibility, and focus solely on corporate governance and profits.
|CEO, CFO, CIO and business unit managers participate in a risk management committee that meets each month, and information security is always one topic on the agenda to review.
||CEO, CFO, and business unit managers feel as though information security is the responsibility of the CIO, CISO and IT department and do not get involved.
|Executive management set an acceptable risk level that is the basis for the company's security policies and all security activities.
||CISO found boiler plate security policies, inserted his company's name and had the CEO sign them.
|Executive management holds business unit managers responsible for carrying out risk management activities for their specific business units.
||All security activity takes place within the security department, thus security works within a silo and is not integrated throughout the organization.
|Critical business processes are documented along with the risks that are inherent at the different steps within the business processes.
||Business processes are not documented and not analyzed for potential risks that can affect operations, productivity and profitability.
|Employees are held accountable for any security breaches they participate in, either maliciously or accidentally.
||Policies and standards are developed, but no enforcement or accountability practices have been envisioned or deployed.
|Security products, managed services and consultants are purchased and deployed in an informed manner. They are also constantly reviewed to ensure they are cost effective.
||Security products, managed services and consultants are purchased and deployed without any real research or performance metrics to be able to determine their ROI or effectiveness. Company has a false sense of security because it is using products, consultants and/or managed services.
|The organization is continuing to review its business processes, including security, with the goal of continue improvement.
||The organization does not analyze its performance for improvement, but continually marches forward and repeatedly makes the same mistakes.
Most companies today are struggling with implementing holistic security program, that can be measured, governed, and properly controlled. The first step is to implement a structure program and rollout metrics that makes sense to that specific environment. The security department has to understand how to govern itself, then roll security out to the business units, and finally allow senior management and the board members to govern the portions they are responsible for. Many companies, security professionals, and security consulting companies are struggling with how to do these steps correctly in a useful manner.
Don’t try and reinvent the wheel on your own and waste time and hundreds of thousands of dollars. Bring in the professionals that understand how security is supposed to be developed and governed and get it right the first time!