Implementing a Security Governance Program to Mitigate Risk through Communication

For years, critical security decisions have been made by lower level employees across all industries, and this has been typically regarded as an accepted and even good practice. These lower level employees are acting in accordance with the general practices of the company, based on larger goals designed by the big decision makers at the executive level. While the executive level is basing these decisions on large scale strategies, the implementation is often decided on by someone with little to no contact with this upper level of strategic thought. And while this model continues to be used in companies throughout the business world, the model is becoming more and more challenged by the regular attacks suffered by businesses, including both IT infrastructure and industrial operations.

Pierre Bourgeix is the VP of Business Development for SecureState. Bourgeix has years of experience within the physical security arena, and has been involved in developing security governance programs. Matt Neely is SecureState’s Director of Strategic Initiatives. His area of expertise are rich in the fields of research and innovation, as well as profiling.

A central problem in this model is how information is communicated to the executive level. When the C level is briefed on security, those briefings tend to depict an environment that is fully in control and relatively risk free. However, as any company that has suffered an attack can attest to, this is pretty far from the truth. This sanitization of information going up to the C level means that what guidance comes down from those executives is often based on an incomplete picture, putting the company in a position of weakness and increased risk.

Organizations need to understand that we cannot live in a bubble of perfection. The entire process of communication becomes dysfunctional if low level leaders aren’t providing accurate information. In these cases, the question becomes who is responsible for the organization’s actual risk. Is it appropriate for someone who is not a stakeholder, e.g. the low level leader, to hold that risk, or should an executive step in to ensure that it is being properly handled? These questions of risk ownership plague IT environments as well as loss prevention and asset protection. As the security environment becomes more complex with the convergence of IT, operations, finance, and compliance under a governance program, policies and procedures need to be put in place to ensure that a process is followed by everyone in an organization, and that communications on security are not being sanitized, but properly communicate the levels of risk the organization faces.

Organizations with strong security governance procedures work to align all areas of their business, allowing them to understand and control who actually holds the risk in the corporation. It’s simply no longer feasible to give the non-stakeholders control in decision making, since these employees are not in a position to either accept or differ risk. In the past, low level decision makers have occasionally masked issues to ensure that they can show progress and give a sense of perfection or control to the C suite. The executives then don’t know anything they aren’t told, and those CIOs and CEOs who have chosen to let this continue have found themselves being let go after a major security incident. In a company with a strong security governance program established, such masking is no longer possible, and these employees no longer hold the risk themselves.

The actual implementation of the governance program is an excellent time to establish what communications need to occur, and begin to provide guidance on how risk should be held throughout the company. To implement this, an organization first needs to develop a clear understanding of what levels of risk they are willing to accept across the enterprise, and which decision makers should accept that risk. Next, the organization needs to create appropriate policies and procedures to define what level of risk they are willing to have lower level decision makers handle. The organization then needs to work to define a clear process of communication that allows all decisions that exceed the level of risk of a lower level employee to be properly presented to the C level. Finally, the organization needs to develop policies to ensure that all risks presented to the board are done so without any masking, prejudice, or disguise.

Lower level decision makers need to know which risks they can make decisions on, and which decisions need the involvement of a primary stakeholder. Metaphorically, these employees need to know the speed limit of the road their particular line of business travels on, and if something requires them to go past that speed limit, they need to know who to talk to about it. And they need to be trusted within that speed limit, and know that if they go beyond it on their own, they are putting their jobs on the line. Similarly, executives can have guidance on what situations and decisions they need to be involved in, allowing them to be involved in the security decisions that impact the company most without getting bogged down in the minor details. Through proper implementation of a governance program, the full communication of risk will greatly strengthen a company’s overall security efforts.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!