Home > Uncategorized > Information Security Governance – Part 1

Information Security Governance – Part 1

According to the Information Systems Audit and Control Association (ISACA), “Information Security Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.” The last half decade or so has been characterized by an increased emphasis on information security governance within information security. Information security governance is not exactly a new concept. It has its roots in the 1990s bodies such as the Committee of Sponsoring Organizations (COSO) that the Treadway Commission, which was formed to pioneer principles and practices related to internal control in organizations. Control, especially management control, is the most essential component within governance—without it, fraud, waste and abuse abounds. Catastrophic events at Enron, Worldcom and Hewlett-Packard in recent years provide almost too perfect examples of what happens when a lack of management control within organizations exists. The same can and does happen when there is a lack of information security governance, a critical part of overall corporate governance. As a case in point, look at what happened at ChoicePoint, Lexus-Nexus, Card Systems Solutions, the US Veterans Administration, the University of California at Berkeley, TJX, Her Majesty’s Revenue and Customs, and other organizations, all of which lacked a suitable information security governance framework before or at the time their massive data security breaches occurred.

The governance bandwagon in information security is already making a huge difference in information security professional’s approaches to their job. The emphasis has moved away from a primarily technical approach (although security technology very much remains an integral part of a successful approach to security) to a business-oriented approach. The importance of understanding corporate business goals and aligning one’s security strategy with them is now thoroughly ingrained in the minds of the vast majority of chief information security officers (CISOs). The necessity of delivering business value through providing security risk management is also now widely recognized. Perhaps not surprisingly, the term “information security” itself is now also increasingly being changed to “information security governance.” Security for security’s sake is now to be eschewed.

Does the governance approach work? Unfortunately, not much empirical information is currently available. Interestingly, several research studies indicate that corporate governance is linked to profitability. Studies that focus specifically on information security governance are on the other hand even scarcer. As mentioned previously, negative examples in which failures in governance are ostensibly linked to massive data security breaches at least anecdotally provide poignant indications of the critical importance of information security governance. Additionally, as information security professionals have learned to adopt more of a business perspective, the percentage of CISOs who report to the chief executive officer has, according to a recent study by Price-Waterhouse-Coopers, risen to 21 percent. This finding is potentially significant because CISOs are increasingly being appointed to C-level positions, quite possibly due to the fact that they increasingly are thinking and communication similarly to the way that senior managers do instead of in technical jargon and with stereotypic information security platitudes. Despite all the interesting possible indications, however, all that can be safely concluded is we do not really for certain know whether the governance approach works except for certain anecdotal evidence from case studies. At the same time, the information security governance approach continues to grow in popularity, and now ISACA even offers professional certifications in this area. Governance and information security governance are thus two constructs that are likely to persist for the foreseeable future, and in so doing they will continue to exert a pervasive influence on the practice of information security.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.