Enterprise level Security Governance

The problem with centralized decision making in enterprise security planning.

Security governance at the board level, what we call corporate security governance, needs to ensure that proper governance processes are introduced at the enterprise level and below. What these processes are, depends on whether the organization uses a centralized or a decentralized security management approach. Unfortunately, current white-papers on security governance generally make no distinction between governance at the board level and at the enterprise level. Further more, these papers often implicitly assume a centralized approach and therefore ignore governance issues at the business unit level and within business units.

It is not surprising that most papers on security governance assume a centralized approach and emphasize the need to develop a security plan at the enterprise level. Most of the large organizations still use a centralized approach to security where meta-policies and other security controls are identified at the enterprise level and communicated to the business units. This is often called enterprise security planning and is, in our view, one of the major reasons why we have the current crisis in information security. Most of the security standards currently promote a similar expensive monolithic approach to information security and try to manage this centralized approach through a life-cycle model.

In the current dynamic security environment a more decentralized approach to security decision making is needed, but little guidance on implementing this decentralized approach can be found in literature. The old-fashioned centralized security approach is relatively simple to manage: It needs almost no security governance at the enterprise and business unit level as most decisions are made at the enterprise level. In the current dynamic security environment, however, this centralized approach does have several major drawbacks. Centralized decision making will reduce the flexibility and adaptability of an organization's security posture, making it difficult for the organization to respond to changes in its security environment. A decentralized approach, at the other hand, will need good security governance at all levels of the organization.

The lack of input from people at the coal-face in the current pre-dominantly centralized security planning has stifled innovation in information security. While the IT infrastructure in organizations has changed dramatically over the past decade, the security approach found in most organizations is really not that much different than the approach promoted in last century's security standards. More importantly, in centralized security enterprise planning the same employees or committee that decide on security infrastructure and applications also decide on business objectives and security strategies, hence there is no need to communicate those objectives and strategies to the rest of the organization. Our experience is that, as a result, the attitude often seems to be that there is no need to think about objectives and strategies at all: Time is simply too expensive isn't it? The organization's security culture now has become a culture of compliance: compliance becomes more important at the coal-face than improving security.

Smaller organizations will, of course, leave most decisions on security to those (IT) employees directly responsible for the implementation of security controls and current security governance guidelines are therefore simply not relevant. That does not mean that those organizations would not benefit from some guidance from top management level on objectives and strategies, but relevant advice on security governance is currently difficult to get from current literature on security governance. This web site hopes to change that.

Organizations that would like to support a flexible decentralized decision making model will need to develop the necessary enterprise level security governance structures and processes to ensure that adequate security objectives and security strategies are developed and communicated to those employees and/or committees that are involved with decisions on security infrastructure and security application selection. This, in it self, already involves a lot of innovation. Here is where we can provide you with assistance. Current security standards, for instance, do not provide any real guidance on the prioritizing of security projects. Your enterprise security management committee will have to develop new priority guidelines for your organization as well as guidelines for identifying the criticality of business processes and assets.