• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Project of the Week
  • About Us
    SEARCH
Physical Security

Implementing a Security Governance Program to Mitigate Risk through Communication

Issues or misinterpretations during communications can be security threats. Governance has potential to alleviate these risks.

November 19, 2015 TechDecisions Staff Leave a Comment

Implementing a Security Governance Program to Mitigate Risk through Communication

For years, critical security decisions have been made by lower level employees across all industries, and this has been typically regarded as an accepted and even good practice. These lower level employees are acting in accordance with the general practices of the company, based on larger goals designed by the big decision makers at the executive level. While the executive level is basing these decisions on large scale strategies, the implementation is often decided on by someone with little to no contact with this upper level of strategic thought. And while this model continues to be used in companies throughout the business world, the model is becoming more and more challenged by the regular attacks suffered by businesses, including both IT infrastructure and industrial operations.

Pierre Bourgeix is the VP of Business Development for SecureState. Bourgeix has years of experience within the physical security arena, and has been involved in developing security governance programs. Matt Neely is SecureState’s Director of Strategic Initiatives. His area of expertise are rich in the fields of research and innovation, as well as profiling.

A central problem in this model is how information is communicated to the executive level. When the C level is briefed on security, those briefings tend to depict an environment that is fully in control and relatively risk free. However, as any company that has suffered an attack can attest to, this is pretty far from the truth. This sanitization of information going up to the C level means that what guidance comes down from those executives is often based on an incomplete picture, putting the company in a position of weakness and increased risk.

Organizations need to understand that we cannot live in a bubble of perfection. The entire process of communication becomes dysfunctional if low level leaders aren’t providing accurate information. In these cases, the question becomes who is responsible for the organization’s actual risk. Is it appropriate for someone who is not a stakeholder, e.g. the low level leader, to hold that risk, or should an executive step in to ensure that it is being properly handled? These questions of risk ownership plague IT environments as well as loss prevention and asset protection. As the security environment becomes more complex with the convergence of IT, operations, finance, and compliance under a governance program, policies and procedures need to be put in place to ensure that a process is followed by everyone in an organization, and that communications on security are not being sanitized, but properly communicate the levels of risk the organization faces.

Organizations with strong security governance procedures work to align all areas of their business, allowing them to understand and control who actually holds the risk in the corporation. It’s simply no longer feasible to give the non-stakeholders control in decision making, since these employees are not in a position to either accept or differ risk. In the past, low level decision makers have occasionally masked issues to ensure that they can show progress and give a sense of perfection or control to the C suite. The executives then don’t know anything they aren’t told, and those CIOs and CEOs who have chosen to let this continue have found themselves being let go after a major security incident. In a company with a strong security governance program established, such masking is no longer possible, and these employees no longer hold the risk themselves.

The actual implementation of the governance program is an excellent time to establish what communications need to occur, and begin to provide guidance on how risk should be held throughout the company. To implement this, an organization first needs to develop a clear understanding of what levels of risk they are willing to accept across the enterprise, and which decision makers should accept that risk. Next, the organization needs to create appropriate policies and procedures to define what level of risk they are willing to have lower level decision makers handle. The organization then needs to work to define a clear process of communication that allows all decisions that exceed the level of risk of a lower level employee to be properly presented to the C level. Finally, the organization needs to develop policies to ensure that all risks presented to the board are done so without any masking, prejudice, or disguise.

Lower level decision makers need to know which risks they can make decisions on, and which decisions need the involvement of a primary stakeholder. Metaphorically, these employees need to know the speed limit of the road their particular line of business travels on, and if something requires them to go past that speed limit, they need to know who to talk to about it. And they need to be trusted within that speed limit, and know that if they go beyond it on their own, they are putting their jobs on the line. Similarly, executives can have guidance on what situations and decisions they need to be involved in, allowing them to be involved in the security decisions that impact the company most without getting bogged down in the minor details. Through proper implementation of a governance program, the full communication of risk will greatly strengthen a company’s overall security efforts.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Tagged With: Corporate, Emergency Management, Mass Notification, Policy

Related Content:

  • Singlewire Software mass notification interview Singlewire Software on Mass Notification Solutions
  • AtlasIED North Syracuse Central School Dist 2 North Syracuse Central School District Streamlines Communications with…
  • cyber-attack-skull Spike in Cyberattacks Exposes Vulnerabilities in University Security…
  • NSA Programming Languages The Cyberattacks and Insider Threats During The Development…

Free downloadable guide you may like:

  • 10 Reasons Why School Administrators Should Consider These Tech Tools for Emergency Preparedness

    Working in an educational facility is more complicated than ever before. There are so many more situations to be aware of, so much more to have to communicate to others. Communication is paramount for the safety of students and staff and to keep daily operations flowing smoothly. Where once a PA system was all that […]

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Latest Downloads

Practical Design Guide for Office Spaces
Practical Design Guide for Office Spaces

Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-fa...

New Camera Can Transform Your Live Production Workflow
New Camera System Can Transform Your Live Production Workflow

Sony's HXC-FZ90 studio camera system combines flexibility and exceptional image quality with entry-level pricing.

Creating Great User Experience and Ultimate Flexibility with Clickshare

Working and collaborating in any office environment today should be meaningful, as workers today go to office for very specific reasons. When desig...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Contact Us
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSYour Privacy ChoicesTERMS OF USEPRIVACY POLICY

© 2025 Emerald X, LLC. All rights reserved.