Corporate security governance goals and objectives
Developing the right corporate security governance goals.
As we discussed in our section on corporate governance, the main goal of corporate security governance should be to develop a dynamic and flexible security posture by developing the right security governance processes and structures at the enterprise level and below. The question now is "how do we develop proper security governance for our organization". The best guidelines on security governance development I could find are from CERT and they are so extensive and ambiguous that I will almost guarantee that your next question will be "Where do I start". It is that question that we will try to address in this page on security governance goals and objectives. We propose an agile approach to developing your information security.
Information security is closely interlinked with IT governance, and as a result you will find distinct security goals and objectives in IT governance as well, in particular in relation to system and network architecture. Reducing the complexity of IT infrastructure and designing business processes, IT architectures and informations systems with security in mind are just as important for Information Security as the organisation's security posture. However, in the current context of security governance we will concentrate on the goals and objectives related to direct security governance only.
Institutionalizing Security Governance
The first step in understanding security governance is identifying the need to establish a corporate governance structure for institutionalizing security governance within all levels of the organization. Institutionalizing security governance is a long term process and will be different for every organization. For the moment, we don't really mind which general institutionalization framework you adopt to achieve this goal. If your organization does not use one already, you can find several in the extensive literature on organizational development and change management.
We do believe, however, that it is important that you understand how your organization should develop and operationalize its strategies in Information Security. We have, therefore, developed a strategic security context model to replace the conventional risk and control approach. We discuss the importance of developing your organization's security strategic context on a separate page. For now, we would like to emphasize that institutionalizing Security Governance will need to be a slow process of organizational learning, so be prepared to take a step backwards when your understanding grows.
One important aspect of security governance that, in our view, will be crucial for the success of any security governance institutionalization program is the effort you put in to ensure that your employees responsible for the different aspects of information security will feel ownership. Hence, this will be the first objective that we would like you to concentrate on. Just giving someone a responsibility, as commonly happens in security policies, is only the first step on ensuring they feel responsible. They will not take up this ownership without an extensive follow up in such areas as adjusting their job description, training, involvement in objectives and strategy development, etc.
One problem to look out for, in particular, is how you handle accountability. With responsibility becomes accountability and enforcing that accountability is normally done through a feedback loop with someone at a higher level in the security hierarchy. However, you should be careful that this does not end up in an exercise where every decision is validated. Acknowledging ownership in this feed back loop is crucial, as all to often we have found that this feedback loop becomes so frequent that decision making is effectively done at the higher level, negating any ownership at the lower level.
Establishing a security culture
Most papers on security governance will give a useful (but not necessarily complete) definition of security culture, but few give it the importance it needs or define how you can establish a good security culture. Unfortunately, most papers on security culture itself will lead you in the wrong direction by equating security culture with security awareness. This can lead to a costly mistake when you invest in an expensive awareness training to enforce the wrong security culture. Information security culture is much more than security awareness and establishing a good security culture that is aligned with your organizational culture should, in our view, be underlying all your efforts in developing your information security governance and management.
While we have a whole section on 8 different dimensions of security culture, all of them directly influenced by security governance, we would like to concentrate here on the aspect "The truth and value of your beliefs about security". We belief that it is important that organizations start their security culture with this aspect. Because, how critical you are of your own beliefs and how critical you are about the beliefs and assumptions of those that advice you (directly or in literature) on security governance, will eventually have a large impact on how successful your security governance will be. And, ensuring that all decision makers at all levels of Information Security regularly investigate and evaluate their beliefs and assumptions is guaranteed to improve the ROI of your security investments dramatically.
To emphasize the need to be critical about beliefs, we will discuss two common problems in security governance literature and practice. The first problem is related to a commonly stated objective of security governance "to secure the organisation's assets in the areas of confidentiality, availability and integrity". Unfortunately, Information Security is not about absolute security, it is about optimizing the cost of Information Security. Hence, the use of the term "cost-effective" or "return on investment" in this statement and in other similar objectives is helpful in combatting this belief in absolute security. And, now we have identified this objective, we need to mention that you should, of course, include the consideration of cost - in particular maintenance cost - in the institutionalizing of security governance as well.
The second problem that we would like to address here is the misconception or myth that security is about risk management. Although aspects of risk analysis methodologies do play a role, in practice most of the decisions on information security in organizations are not related to risks and most of the risk analysis processes used in organizations as part of information security are only token processes or otherwise seriously flawed through extensive cost cutting. In the next section on developing a security assessment framework we will further address this issue
Developing a security assessment framework
To evaluate the success of your security governance and to assist in prioritization of your security investments, you will need to develop a suitable security assessment framework. While obviously the previous two goals of security governance are extensive enough to need some serious prioritization, this can often be achieved in direct negotiation/consultation at the executive management level. To assist in prioritization at other levels of security management, the organization will need to develop a set of prioritization guidelines as part of its security strategic context to complement this security assessment framework. The development of prioritization guidelines is, therefore, another security governance objective that deserves early attention. Our investigation of current security standards and guidelines found no practical advice on how to prioritize security investments apart from the current flawed risk based approach. We also did not find an example of non-risk based prioritization guidelines in any of the organizations we visited as part of our extensive case-study based information security research over the last decade. Hence, while our research into this area is still in its early stages, we will present some of our initial ideas here to assist you in your endeavors to develop your own prioritization framework.
Another important issue is that you need to separate compliance management from prioritization. While compliance is one of the goals of corporate governance it should not play a major role in security governance. Any organization that has seriously worked on developing practical objectives, as well as the business strategies to fulfill those objectives, will not have an issue with compliance. If it is a problem, you simply have not been aware or understood the concepts of strategic security context and security culture. With the right approach compliance simply becomes an oversight issue at the corporate level and should be separate from, not part of, your security governance.
To be able to assess your information security and prioritize your investments, your assessment framework will need to identify what needs to be protected, what the current issues are that endanger your organisation's security most, and what the most cost-effective way is to achieve an adequate level of protection. Unfortunately, our experience shows that your current information security approach is likely to be inadequate in all these three areas. To ensure your security assessment framework will function properly your security governance institutionalization program will therefore need to develop objectives that address these issues first. We will discuss these objectives and their impact on your organisation's security strategic context in more detail later.
Finally, you will have do develop assessment criteria for your security culture, as well. We have a whole section of our web site dedicated to security culture. You can analyze that section to decide on what is relevant for your organization. Your first objective here should be to align your security culture with your organizational culture. And, don't set your targets too ambitious.