Information Security Governance

The ultimate guide to Information Security Governance and Culture.

Over the past few years Information Security Governance and Information Security Culture have become popular aspects of Organizational Information Security. With the increasing complexity of IT infrastructures in organizations, and the increasing information warfare on the Internet, many organizations find that traditional approaches to Information Security management are no longer working. We agree with other security governance professionals that by improving an organization's security culture, and by establishing the proper security governance processes, most organizations will be able to achieve an excellent and highly cost-effective Information Security. However, to be successful in this endeavor, management will need to carefully examine, and be extremely critical about, what is currently found in the literature (and on the Internet) regarding these relatively new concepts of security culture and security governance.

This web site aims to challenge your beliefs on what good information security is and, in particular, your beliefs on how to choose the right security management and security governance structures and processes for your organization. To improve the cost-effectiveness of your organization's information security you will need to encourage innovation and creativity in your strategizing and decision making to be able to adapt your security posture to your organization's goals and needs.

Most of the security governance discussed in this section aims to ensure that you understand the importance of establishing an enterprise wide security governance to assist in the development of a culture of flexible decentralized decision making that can cope with the current dynamic and rapidly changing security environment. A separate section on Corporate Security Governance discusses how corporate governance can ensure that that proper governance processes are introduced at the enterprise level and below. You can use the top menu to reach our other sections, each aiming to address some of the issues that you need to understand about information security, security management and information security culture to be able to be innovative in your information security approach.

Creating a flexible dynamic security posture

Our approach to bringing information security and security governance into the 21st century has been informed by our extensive research in security culture over the past decade. This research, documented in the security culture section of this website, shows that one of the most important aspects of a good security culture is related to the way an organization evaluates the basis of truth and rationality of the different beliefs of both their employees and their management about information security. To improve your security, you will have to understand the basis of truth of the different assumptions underlying the standards and other guidelines used to underpin the organization's approach to information security.

Most organizations are still basing their information security on the old 17799 security standard that was developed several decades ago, and are struggling to copy with the increase in threats and vulnerabilities not addressed by current security standards. While there is a new ISO/IEC 27000 series of security standards, they are not that more advanced. ISO/IEC 270001 adds a security policy life-cycle approach to your security management, in the hope that a more mature information security management will lead to a better information security. However, in the current rapidly changing information security environment, just implementing state-of-the-art security is no longer adequate. Standards work well in a more static environment, but in this dynamic security environment you will have to be innovative in your security management approach, and go beyond what standards prescribe. Sometimes you will also have to ignore what these standards suggest and adjust your information security to the latest developments in security research.

More importantly, in a dynamic environment organizations will need to implement decentralized decision making to ensure the necessary flexibility and adaptability of their security posture. And, in such an environment of decentralized decision making it becomes extremely important to implement the right security governance structures and practices to ensure that consistently good decisions are being made.

On this web site, we make a clear distinction between corporate security governance and (enterprise level) security governance. With corporate security governance we mean governance at a board level and the main responsibility of corporate security governance is to ensure that appropriate security governance is promoted and controlled at the enterprise level and below. Unfortunately, most current information and academic papers on security governance at the enterprise level promote a centralized decision making model based on an, in our experience, ineffective and old-fashioned 20th century risk management approach to security. To support a dynamic flexible security posture based on decentralized decision making, we promote an innovative enterprise-wide security governance approach where security objectives and strategies are the main focus instead of security risks and controls.

We have put up the first version of our security governance and security culture pages and put up several pages in the resources section. At the moment we are working on the security management section. In the months to come we will extend this web site with information aimed at providing you new ideas on how to improve your security governance and culture and reduce the cost of higher levels of information security, in particular the maintenance of information security. In the mean time, if you are waiting impatiently, why not have a look at my academic papers on security governance and strategic context, which will give you a taste of what is to come.

Please bookmark this site, visit us often to see what's new, and help us by providing your feedback.

If this is the first time you visit this site, please read our disclaimer.