Why security governance is important.

Security governance in a dynamic security environment.

Governance is about the assignment of decision and input rights and the use of an accountability framework to encourage desirable behavior in decision making. Hence, security governance needs to provide a framework in which the decisions made about security issues are aligned with the overall business strategy and the culture of the organization. Security governance is concerned with setting directions, establishing standards and principles and prioritizing investments.

Security governance is different from management. Security governance is about decision making per se, whereas management is about making and implementing specific decisions.

Security Governance frameworks

Borrowing from an IT Governance Framework from Peterson et. al., applied by us to security governance in Koh et. al. (2005), security governance can be broken up into three domains:

  • Structural mechanisms
  • Functional mechanisms
  • Social participation
    •

    Structural mechanisms in security governance are divided into formal and informal structures to facilitate decision making. The formal structures include direct supervision and liaison roles as well as cross-functional units and security committees, while the informal mechanisms in security governance are those activities that support coordination and the building of network relationships.

    Functional mechanisms consists of the actual system of decision making and the communication flow to support it. The quality of decision making depends on whether specified rules and standard procedures are followed and whether the required decision making activities are systematically and exhaustively addressed. The communication flow needs to support this system of decision making and ensure that the different view points of stakeholders are considered. To further improve the quality of decision making the communication flow should also allow for informal lateral communication during the security decision making process.

    The social participation, finally, will ensure the active participation of key stakeholders in the decision making and increase the shared understanding between stakeholders. Distributed decision making requires both active participation and shared understanding to ensure the organization can coordinate activities and is able to adapt to changing circumstances.

    While the above framework offers a comprehensive view of the use of governance in decentralized decision making, it concentrates mostly on how an organization can distribute the decision and input rights to improve decision making, but it does not address what the organization needs to communicate to provide the necessary guidance to the decision makers and those stakeholders involved in providing input. Neither does Peterson's framework explicitly cover how to handle accountability itself or how different leadership styles influence the quality of decision making.

    To ensure organizations take a more comprehensive approach to security governance, we have developed an alternative framework, discussed in Tan et. al. (2004):

  • Decision making rights
  • Input rights and participation
  • Experience and decision making culture
  • Strategic context
  • Accountability infrastructure
    •

    This security governance framework emphasizes 3 additional aspects that are not, or only partly, covered by Peterson's framework. However, as it provides less emphasis on the actual structural and functional governance mechanisms, we believe you should be familiar with both frameworks. But, for now we would like to concentrate on the importance of a properly developed Security Strategic Context

    Blonde bumper stickers
    Funny quotes