Successfully implementing an information security program in any organization can be one of the most complex undertakings in business today. As a security professional, it is your job to find ways to protect company assets, reputation, and data, while avoiding any adverse operational impact to the day to day business.
We’ve all heard or said this one a million times by now: "Align the security program with the business."
That’s a balancing act that requires a very careful approach and significant involvement from a wide array of stakeholders in order to successfully implement. Couple that with the need for adequate funding, staffing, and organizational support, and what comes out the other end is the state of most information security programs today.
That state varies very widely in maturity and success between industry verticals and from one organization to another. In all the complexity and diversity of programs one of the few consistencies that leads to success is proper governance and committee involvement. Before designing a committee approach, consider these three ideas.
Include the right stakeholders
The initial tendency when building a committee roster may be to invite those you think are strong supporters of the program, champions of information security, or leaders with whom you have well-built relationships.
These are all good ideas; however, it’s extremely important to step out of your comfort zone here and bring in some of the potential or confirmed resisters as well. One of the worst possible scenarios for a security program is to get governance support and approval after months of research, analysis, and preparation, only to have it blown up by a single resister with enough influence to do so.
Instead, get those people in the room and let their voice be heard early and often. If they are not strong champions of security, it’s just as important for them to believe they have a voice as it is for the rest of the governance group to understand what the program is up against. Design a committee team that challenges each other and the program regularly.
Timing is key
The frequency of security governance is critical and getting it right can be difficult. I tend to believe frequency relies heavily on the maturity of the program and the current state of the organization. Newer programs pushing significant change should be meeting with their governance committees much more frequently in order to limit surprises and capitalize on broad senior leadership involvement.
Annual meetings are not nearly frequent enough, and twice per month is likely far too often for most organizations. Each program has a frequency of meetings that is just right for the business and the program, but the rule of thumb should be no less than quarterly.
One approach I’ve found very successful is to hold bi-monthly executive committee meetings and host your sub-committees on the off months. This gives you the opportunity to take all sub-committee feedback and direction to your executive committee for awareness and approval.
Speaking of subcommittees, make sure you have a few of these. If you design your executive security committee correctly, you’ll soon find out they are not the audience for all things information security. There are isolated issues that might not have the pizzazz to make it to your executive committee, but require some level of governance.
This is what subcommittee and issue-based committees are for. There is no harm in building several of these as long as your crossover in membership isn’t significant. Key stakeholders are busy and attending three to four committee meetings on security per month is not a good use of their time.
Let the committee do their job
The responsibilities of a governance committee include setting the program direction, making recommendations, reviewing and approving changes, and providing guidance that can help the security program navigate complex organizational challenges. What they are not gathering to do is sit around listening to an update on the program for an hour, nodding their heads in approval before leaving after a few “good jobs."
Get them involved early and often in your presentations. There’s no harm in adding informational items to the agenda; however, find a way to incorporate engagement from the committee into those topics as well. If you’re providing an update on the effectiveness of your awareness program and reduced phishing simulation failures, ask them what they think the program can do moving forward to even further penetrate the culture of the business through awareness efforts.
Get your committee to feel personally invested in the program. They should all feel a sense of involvement and pride in the program success, and a dissatisfaction and responsibility in its failures. Ask yourself if the members of your committee would feel these things about your program. If not, you either have the wrong members or aren’t providing them enough opportunity to help set the direction.
Regardless of how you build your committee, having governance oversight within your program is critical for success. The decision for major changes in the state of security at any business should not happen in a vacuum. Doing so puts operations, projects, and morale at risk.
Instead, create a direction for the program based off of a combination of the team’s subject matter expertise and executive governance guidance and support. The results will be more thoughtful approaches to maturing the security posture of your business and far less resistance when it happens.
Most importantly, the business will own information security – not just the program.
Dan Costantino is the Chief Information Security Officer of Penn Medicine.