The interaction between corporate governance and information security governance is hitherto unknown to most organizational managers and information security experts. Consequently, vital information-security governance concepts should be communicated to corporate-governance ranks by ensuring that each organization has an information security policy that is well defined and understood by all stakeholders. This information-security policy should include a statement of an organization’s key business-drivers, its legal frameworks, the profile of its impending threats, and the regulatory policies that apply to it (Veiga & Eloff, 2007).
All these factors are pertinent to corporate governance, and packaging information-security governance as such reconciles the two departments. For example, most boards of directors are governed by a set of outlined policies. Lack of a well-defined information-security policy might mean that a board of directors is exempt from this responsibility. It is up to an organization to ensure that its security program, which includes standards, policies, firewalls, and security personnel, among others, are well represented within all management ranks.
Currently, most organizations tend to confine their security programs to the administration of small teams. Seamless integration of corporate and information-security governance has only been achieved in a few organizations, most notably leading tech companies such as Apple, Facebook, and Amazon, among others. The main point-of-reference, when incorporating information-security governance concepts into corporate governance, is to ensure that security policies are distributed within the whole organization and responsibility is shared equally (Whitman & Mattord, 2011).
The committee structure in information-security governance serves the purpose of bringing all the stakeholders together. In most modern organizations, information-security committees are made up of the Chief Executive Officer, Chief Financial Officer, Chief Information Officer, Chief Security Officer, representatives from the human resource department, and a public relations officer, among others. One advantage of using a committee structure is that it serves as “an effective communication channel for management’s aims and directions and provides an ongoing basis for ensuring alignment of the security program with organizational objectives” (Williams, 2001, p. 32).
In addition, a security committee acts as an educational platform for all the major stakeholders who sit in the committee. For example, the Chief Information Officer who sits on the committee passes vital information to the human resource officer in the same circle. One challenge of having a committee structure is that this model utilizes a significant amount of resources. Furthermore, without a clearly laid out structure, it is almost impossible for a committee to achieve its goals.
Information security managers are bound by regulatory policies that apply to various jurisdictions and organizations. Expectations of regulatory agencies range from “having an understanding to acceptable and unacceptable employee behaviors in the workplace, adherence to organizational laws, respect to judicial practices, and observance of sanctions, among other practices” (Foxman & Kilcoyne, 2003, p. 108).
Information security managers can keep up with the expectations of regulatory agencies by ensuring they practice effective information-dissemination methods. For example, the information breach that occurred at Target a few years ago could have been detected by lower-level employees if they had the right information. Another method of ensuring compliance is to ensure that information security managers conduct regular reviews of their policies in accordance with the current regulatory policies. In addition, it is important for information security managers to make sure that changes in policy are conducted in a uniform manner. Consequently, information-security governance must mimic the anatomy of corporate governance, where changes are systematically conducted throughout the entire organization.
Internal governance committees can ensure that the findings of audits and regulatory examinations are corrected by involving executives and business leaders in this process. For example, it is difficult for an information-security expert to get the right buy-in if the executives who are supposed to sign off on it are not convinced of its suitability (Whitman & Mattord, 2011). The committees should also be liaisons between information-security agendas and corporate governance.
It is important to note that unlike in corporate governance, titles and individual contribution is not of utmost relevance. For example, the mitigation of a certain risk in a financial institution can be in the hands of a junior technician even though a security breach is reflective of the organization’s CEO. In addition, before any data leaves the committee’s table, it should be broken down in a manner that reflects the knowledge levels of its intended audience. For instance, it might not be effective to send a similar-worded memo to both the Information Technology Department and the Sales Department.
The information security manager acts as the central point of contact in the liaisons between internal and external governance functions by making sure that there is “a strategic alignment of information security in support of organizational objectives” (Whitman & Mattord, 2011, p. 23). Another contribution of the information security manager is to be actively involved in the mitigation of active and inactive risks. For instance, in an organization such as a news agency (CNN and BBC, among others), information becomes an asset that is subject to both internal and external threats.
A security manager protects the interests of both the corporate and information-security managers by mitigating these risks. In addition, security managers are involved in resource mobilization, thereby engaging in both internal and external governance functions. The role of performance measurement also falls in the domain of the information security manager. Performance measurement ensures that the goals of an organization are achieved through active monitoring, measuring, and reporting on information-security functions.
References
Foxman, E. R., & Kilcoyne, P. (2003). Information technology, marketing practice, and consumer privacy: Ethical issues. Journal of Public Policy & Marketing, 4(2) 106-119.
Veiga, A. D., & Eloff, J. H. (2007). An information security governance framework. Information Systems Management, 24(4), 361-372.
Whitman, M., & Mattord, H. (2011). Roadmap to information security: For IT and Infosec managers. New York, NY: Cengage Learning.
Williams, P. (2001). Information security governance. Information Security Technical Report, 6(3), 60-70.