Corporate Security Governance
The role of Corporate Governance in Information Security Governance.
The term security governance is currently mostly used to identify corporate security governance and many papers have been written about corporate security governance over the last few years. However, security governance within organizations should not be restricted to the corporate level. Just as IT governance has expanded in the last decade to all levels within the organization, good security governance is much more important at middle management level than currently has been acknowledged in literature.
While we are happy about the growing importance of corporate security governance, we would like to stress that the current research in corporate security governance is still underdeveloped. Our research in this area is concentrating on, in our believe, the biggest problem in corporate governance, the lack of understanding of, and attention to, the role of corporate security culture in coping with the growing complexity of information security.
What we would like to see most urgently in corporate governance is more effort in identifying how the organization's security culture needs to be improved and aligned to the organization's general organizational culture. A good start in most organizations would be to ensure that the security culture is not dominated by compliance to security standards. As discussed in our section on Orientation and Focus, developing a security culture based on awareness of the organization's internal security environment is crucial to achieving an adequate and cost-effective approach to information security. Any organization that does not identify and document its security breaches, and does not use that information to identify and document its critical information security threats and vulnerabilities, will never achieve an adequate response to the rapidly changing risks in its business environment.
At the same time, organizations will need to develop better security governance at all levels within the organization. Security in the 21st century requires in-depth management processes that must be continually refined, revised and monitored in order to keep up with evolving business strategies and dynamically changing environments. Like the way IT governance evolved in the 20th century, Security Governance needs to become engrained within security management to ensure that better decision making will take place at both security management and end-user levels.