Organizations are becoming increasingly aware that if they fail to implement successful security management processes, it could expose them to untenable risk.
The role of the corporate information security steering committee has become an important tool in the quest for a coordinated corporate security strategy, for reducing duplication in security spending, for taking control of complex infrastructures and ultimately, for reducing security risk.
One of the first steps for many organizations has been to set up a common security team and to embark on enterprise-wide information security programs. However, many of these teams have struggled to align corporate business objectives with strategic security investment.
META Group's research indicates that the majority of new security teams struggle to define and establish their corporate missions, scope, influence and power bases. Furthermore, these security teams have poorly defined executive charters and operate without effective communications plans. The unfortunate result of such poor grounding is the temptation for newly established teams to immerse themselves in technology quests, searching for elusive enterprise-wide technical solutions.
In contrast, the most effective security organizations are those with clear responsibilities and well-defined processes, based upon five primary organizational roles:
- Leadership - this is the role of the chief information security officer who deals with both the day to day management of the security team as well as continuous communication of the importance and value of security measures
- Analysis/design - these security analysts help information owners develop meaningful security policy as well as effective security solutions
- Security administration - these people look after the day to day administration of access rights, passwords, etc
- Security operations - resources that continuously monitor the security status of the organization, and manage incident response procedures.
- Awareness communication - resources that design and manage ongoing security awareness and training programs.
Executive custody and governance -represented by an information security committee
The role of the corporate security steering committee is to coordinate corporate security initiatives at the executive level and thus enable an organization to optimize spending, manage their infrastructure and minimize security risk. Obtaining consensus and support for corporate-wide security initiatives is especially difficult in highly decentralized and multinational organizations with a high level of devolved authority and autonomy. In this type of organization, an executive governance body becomes essential.
Corporate information security steering committees (CISSC) must have a clear charter with a range of functions that should include:
- Managing the development and executive acceptance of an enterprise security charter.
- Assessing and accepting corporate-wide security policy (e.g., the corporate policy on security incident response, general behavioral policy). A major objective of this function is ensuring that business requirements are reflected in the security policy, thus ensuring that the policy enables rather than restricts business operations.
- Assessing any requests for policy exceptions from individual business units.
- Assessing, accepting, and sponsoring corporate-wide security investment (e.g., identity infrastructure deployment, remote access infrastructure), as well as requests to be excluded from common investment.
- Providing a forum for discussion and arbitration of any disputes or disagreements regarding common policy or investment issues.
- Acting as custodian and governance body of the enterprise security program by ensuring visible executive support, as well as monitoring progress and achievements. The role of a permanent governance structure reinforces the message that enterprise security becomes an ongoing, long-term initiative.
- Assessing and approving the outsourcing of common security services, as well as coordinating investment in appropriate relationship management resources. As the lack of skilled resources increases the need to outsource operational services, executive due diligence, risk assessment, and ongoing effectiveness assessment must be coordinated through the steering committee.
- Initiating ad hoc projects to investigate the advantages, disadvantages, risks, and cost of common security initiatives, and advising the committee with appropriate recommendations.
- Representing the executive (board of directors) or its nominated information governance body (e.g., an information executive board) in all corporate security matters. Reporting back to these forums on the activities and effectiveness of corporate security programs and investments.
- Acting as custodian of corporate-wide strategic security processes (e.g., role analysis, data classification) by validating process ownership, responsibilities, and stakeholders.
- Acting as respondent to enterprise-level audit exceptions (i.e., those audit exceptions where a specific individual cannot be found to be responsible).
- Coordinating and validating any external, security-related corporate communications plans and activities (e.g., in the event of a high-profile, publicized security breach).
- Tracking major line-of-business IT initiatives to identify opportunities for synergy or to leverage security investment.
- Governing trust relationships with major e-business partners.
It is very important that steering committee members can make decisions at meetings. This requires the active participation of senior executive business managers or it must be a permanent subcommittee of an executive information board. To prevent the committee becoming an ineffective 'debating society' or forum for driving political agendas, the scope, powers and objectives of the committee should be clearly documented and measured.
Typical members of an information security steering committee include: line of business managers, application owners, regional managers, IT managers, the IT director, the chief security officer, the corporate risk manager and the chief internal auditor. A clear distinction must be made between the role of the CISSC (i.e., executive custody and governance) and the leadership role (i.e., day-to-day management of the security team) of the chief information security officer.
By developing the emerging role of the chief security officer (CSO) and the security team, enterprises can foster a holistic approach to information security - one that recognizes that policy, process, and communication are as important as technology.
Tom Scholtz is vice president, META Group. (www.metagroup.com)