As with most business matters, the key is understanding how the process affects “the bottom line” for the company, and how a loss or disruption of this process could affect the entire process. Similarly, the executive level will also want to understand what protocols are already in place to ensure the continuity of operations for the processes and for the organization as a whole.
With this full understanding and prioritization of processes complete, the final issue the executive level need to examine when moving to a Security Governance model is the current levels of electronic security in place. The key factor for evaluating these systems is determining if they are sufficient and appropriate for mitigating the actual risks the organization faces. Determining the actual risks may require a full risk assessment, but the results of such work will greatly increase the effectiveness of any security program.
The temptation with all of this work is to go too deep in answering the critical questions. The executive level needs to focus on the bigger picture, focusing on mitigating the risks faced by their organization overall through the use of the Security Governance model. Focusing on this goal while determining the best ways to leverage the people, processes, and technology available will help ensure the successful implementation of Security Governance.
Breaking Down the Silos
The goal of a Security Governance program is the full utilization of every security resource within a company to build security into every process. When this is successful, the end result is that security works to break down the silos that often develop at companies between departments and processes. This type of communication and collaboration is often an explicit goal for organizations, and Security Governance can make it happen.
Matt Neely is SecureState‘s Director of Strategic Initiatives. His area of expertise are rich in the fields of research and innovation, as well as profiling. His in-depth knowledge of wireless and physical security, as well as new technology and incident response, make him one of the best in the country in information security.
For example, consider how an organization with a full Security Governance program in place would respond to a potentially unstable employee, as identified by another employee. First, the identifying person could talk to HR, voicing his or her concerns over the matter. HR, recognizing the potential threat to the company, utilizes the Governance program to talk to the Security Director. As the person who oversees the entire program, the Security Director works to update the physical security of the organization, placing alerts on all systems using facial recognition technology to track the potentially unstable employee. The Security Director can then work with personnel across the company to advise on potential actions in the event of an incident, and can foster communication across the company as needed. Any departments or processes that are particularly sensitive for the continued operation of the company can have special added security measures as deemed appropriate.
The advantage of this type of approach should be fairly obvious. Not only are lines for communication established and kept open, but the hypothetical company is also taking a proactive approach to a potential event, as opposed to a reactive approach. This increases the likelihood of stopping an event before it happens, minimizing the potential impact to the organization before any event occurs, instead of waiting to clean up the damage until after it occurs.
Conclusion
Moving to a full Security Governance model requires the leadership of the executive team at all stages of the process. From obtaining the information needed, to establish the program, to providing the decisions that will structure the entire effort, the executive team needs to lead the effort and be as involved as possible.
The key place to begin this kind of transformation is with an enterprise-wide risk assessment. If a governance program is already in place, regularly scheduled security governance reviews can help ensure that the proper people, processes, and technology are being utilized to ensure the most protection while also helping tune the program for new risks that may have arisen.
A well implemented Security Governance program can foster communication across an organization while also increasing the security posture of the organization. Through effective leadership, the executive team at an organization can ensure the program continues to offer significant benefits for the company.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply