Information Security Governance

The ultimate guide to Information Security Governance and Culture.

We are currently developing the ultimate guide to Information Security Governance and Information Security Culture. Our approach to bringing information security and security governance into the 21st century has been directed by our realization that one of the most important aspects of a good security culture is related to the way organizations evaluate the basis of truth and rationality of the different beliefs about information security of their employees and management, as well as the basis of truth of the different assumptions underlying the standards and other resources used to underpin the organization's approach to information security.

While the need to be critical about the beliefs underlying your decision making will be discussed more extensively in our section on security culture, we would just like to state, for now, that the main aim of this web site therefore is to challenge your beliefs on what good information security is, and in particular to challenge your beliefs on how to choose the right security management and security governance structures and processes for your organization.

With the increasing complexity of IT infrastructures in organizations, and increasing information warfare on the Internet, many organizations find that traditional approaches to Information Security management are no longer working. Most organizations are still basing their information security on the old 17799 security standard that was developed several decades ago, and are struggling to copy with the increase in threats and vulnerabilities not addressed by current security standards.

In the current rapidly changing information security environment, just implementing state-of-the-art security is no longer adequate. Standards work well in a more static environment, but in this dynamic security environment you will have to be innovative in your security management approach, and go beyond what standards prescribe. Sometimes you will also have to ignore what these standards suggest and adjust your information security to the latest developments in security research.

More importantly, in a dynamic environment organizations will need to implement decentralized decision making to ensure the necessary flexibility and adaptability of their security posture. And, in such an environment of decentralized decision making it becomes extremely important to implement the right security governance structures and practices to ensure that consistently good decisions are being made.

On this web site, we make a clear distinction between corporate security governance and (enterprise level) security governance. With corporate security governance we mean governance at a board level and the main responsibility of corporate security governance is to ensure that appropriate security governance is promoted and controlled at the enterprise level and below. Unfortunately, most current information and academic papers on security governance at the enterprise level promote a centralized decision making model based on an, in our experience, ineffective and old-fashioned 20st century risk management approach to security. To support a dynamic flexible security posture based on decentralized decision making, we promote an innovative enterprise-wide security governance approach where security objectives and strategies are the main focus instead of security risks and controls.

We have put up the first version of our security governance and security culture pages and put up several pages in the resources section. At the moment we are working on the security management section. In the months to come we will extend this web site with information aimed at providing you new ideas on how to improve your security governance and culture and reduce the cost of higher levels of information security, in particular the maintenance of information security. In the mean time, if you are waiting impatiently, why not have a look at my academic papers on security governance and strategic context, which will give you a taste of what is to come.

Please bookmark this site, visit us often to see what's new, and help us by providing your feedback.

If this is the first time you visit this site, please read our disclaimer.