Sam Dekay

Who’s In Charge Here? The Problem of Information Security Governance

According to ISACA’s Information Security Governance:  Guidance for Boards of Directors and Executive Management, 2nd Edition, information security governance “consists of the leadership, organizational structures and processes that safeguard information.  Critical to the success of these structures and processes is effective communication amongst all parties on constructive relationships; a common language and shared commitment to addressing the issues.”  Governance, therefore, is the administrative and managerial “glue” that permits the establishment and implementation of a comprehensive, cohesive, and consistent information security program.

Unfortunately, the well intentioned notion of dispersing information security functions throughout the organization, thus permitting an alignment of business, security, and technical objectives, does not necessarily facilitate the establishment of an effective governance structure.  And professional organizations and governmental oversight agencies offer little assistance.

Information Security governance from the perspective of professional organizations and governmental agencies

The Information Systems Security Association (ISSA) is perhaps the major international organization devoted to the concerns of InfoSec professionals.  A visit to their website will reveal numerous-and free-valuable resources, including webcasts, white papers, and publications.  However, virtually all these materials are concerned with discussion of technical matters; nothing is (as yet) available to assist with issues involving information security governance or management.

To its credit, ISACA’s Governance Institute has recognized that InfoSec governance is a problematic issue and has published a booklet (available via free pdf download) intended for “Boards of Directors and Executive Management.”  (See above for link.)  However, the majority of ISACA’s publications, and its excellent CobiT assessment methodology, focus primarily upon the issue of Information Technology governance, rather than the narrower topic of governance for information security.


  1. SecurityExec Aug 8, 2008 at 5:35 pm | Permalink

    I think it’s great that such an article has been written. Despite having a somewhat vested/biased interest on the topic (I am a security executive) I think there are some very relevant points that are compounding the problem of governance (and, ultimately, the overall effectiveness of information security.) Governance and accountability are arguably what’s needed most to help truly achieve better information security across the board. Unfortunately, as we’ve seen too often, the regulatory agencies, lawmakers, and industry itself shy away from establishing accountability. It’s much easier (politically) to continue to focus on the technology rather than address the real issue. Business leaders are always going to look for the path of least resistance – hence the reason we’re seeing a lot of companies revert to positioning security and risk managers/executives down the corporate ladder, usually back into the technology ranks. Until someone steps up (the regulators/agencies should have been leading the way on this long ago considering their increasing talk about the need to improve security of financial information) the business world simply isn’t going to accept more responsibility or accountability than it absolutely has to. That directly translates into security, privacy, and risk management reverting back to operational and technology-specific roles rather than being at the level needed for efficacy – closer to the executives and Boards of Directors.

  2. Bouch Aug 19, 2008 at 2:05 pm | Permalink

    I work for a federally funded research and development center that has to abide by a variety of government regulations, such as the NISPOM that clearly identifies roles within information security. In short, the ISSO’s are the hands on computer security folks separate from the regular IT staff. They report to the ISR’s who work on the policies, procedures, and certifications. The ISR’s are the pawns of the ISSM who oversees the entire security posture similar to a CISO. However, these government regulations are not enforced within the private sector. Hopefully, as corporations keep being infiltrated and sensitive customer information is leaked publicly, the citizenship will stand up for a universal information security standard for private corporations.

Post a Comment

Your email is never published nor shared. Required fields are marked *