The Governance Bandwagon – Part 2
As I said in my previous blog entry, information security governance has provided a revolutionary new approach to information security and, in particular, information security management. The governance approach has been one of the main causes for the field of information security moving from what Donn Parker once called a “folk art” to a profession that is becoming increasingly influential and respected. At the same time, however, information security governance is by no means a panacea. There are a number of inherent limitations to this approach that need to be understood if it is to be used wisely and productively in different situations and settings.
First, information security governance does not work so well if overall corporate governance is lacking because information security governance must by its very nature be a part of overall corporate governance. For example, creating ways to show the value of information security to a business does not really make sense if there is no corresponding corporate goal. An information security professional can develop appropriate metrics and show gains from one quarter to the next, but the effort and results are likely to fall on unappreciative ears within senior management circles. Similarly, efforts to bridge gaps between various functions within an organization are not likely to be supported and appreciated if integrating corporate functions is not a corporate governance goal. Studies by the IT Governance Institute show that most organizations do not have good governance frameworks in place; the unfortunate fallout to information security practices is that governance efforts within them are likely to be limited in success because there is little or no governance at the corporate level.
Another hurdle to achieving desired levels of information security governance is the fact that the reporting line for so many information security functions is within IT organizations, often under the CIO’s office. Unfortunately, the IT arena is one of the most difficult areas in which to establish even modest levels of governance due to the ever changing nature of technology, crippling internal politics that affect even the simplest of technical decisions, and the fact that hardware and software so often fail or produce business process interruptions. If IT organizations cannot achieve suitable levels of governance, it is extremely unlikely that information security functions within the IT arena can.
A final consideration is the fact that to get an effective information security governance effort going requires considerable effort and resources. A certain level of momentum is necessary to jump start an information security governance effort because many of the foundational activities (e.g, developing a strategic plan that is aligned with business goals and drivers) are by their nature complex and effort-intensive. Senior management may be receptive to the information security governance approach, but if sufficient effort and resources are not available, even the most brilliant and experienced information security manager may not be able to gain enough momentum to sufficiently propel the program ahead.
The bottom line, therefore, is that like everything else, information security governance should not be viewed as an easy and certain path to success. Strong limiting factors that are ever present must be considered, and the strategy one uses to try to achieve agreed-upon goals almost always needs to be custom-tailored to each organization and its particular business and operational needs. In some cases information security governance will amount to little more than an ideal but never to be achieved state for an information security program. Fortunately, however, in many cases achieving desired levels of governance is feasible. And the good news is that an increasing proportion of organizations is becoming increasingly successful in their endeavor to achieve this goal.