Security governance isn’t enough. Enter engaged security governance — an ongoing process that aligns business strategy with security across an organization.
Information security governance is a system that helps organize and direct dedicated security resources. It influences how goals are set and achieved, how cyber-risks are monitored and assessed, and how security performance is evaluated. Security governance also encompasses the history, structure, internal politics and culture of an organization.
In today’s organizations, security governance isn’t enough. They need “engaged governance.” Learn about engaged governance and six principles that organizations should implement.
The need for engaged governance
Different organizations have different levels of security governance maturity. Some might be at the low end, where only the security function is concerned with governance and the rest of the company doesn’t acknowledge its presence. Others might be at the higher end, where governance helps shape the entire organization, its culture, its decisions and the way business is conducted. Most organizations probably fall somewhere in the middle. They see potential in governance for guidance and to help reassure the business, enabling them to face risks head on and prosper despite them.
Regardless of where one is on the maturity spectrum, good security governance is difficult to achieve. Organizations are dynamic entities, trying to survive in an uncertain and unpredictable world, with many conflicting tactical and strategic priorities. It’s also challenging for security practitioners to take governance to a state where it can evolve easily.
This is where “engaged governance” comes in. Engaged governance is a proactive and continuous effort to align security to business strategy. This means security practitioners must do the following:
- Make a regular effort to understand how the organization works — its evolving goals, mission, purpose, and values.
- Collaborate with stakeholders.
- Draw up plans and policies that serve the broader strategy.
- Deploy programs that embed appropriate secure behaviours.
Principles for building engaged governance
Six core components can help nurture and develop maturity in a security governance program.