Sam Dekay

Who’s In Charge Here? The Problem of Information Security Governance

In its conclusion to Information Security Governance, ISACA offers a compelling case for the importance of InfoSec governance as a critical concern:

The traditional focus on technical solutions must give way to the understanding that security is fundamentally a management problem to be addressed at the highest levels.  As organizational assets continue to become more intangible, the requirements of due care in the protection of information assets will require greater attention and resources.  Additionally, effective information security governance is becoming a necessity to adequately address the numerous legal and regulatory/statutory requirements.

It seems that, at a minimum, professional organizations and governmental oversight agencies could take certain actions that will foster the development of “effective information security governance”:

  • The ISSA could sponsor and publish research concerning the role and significance of InfoSec governance;
  • ISACA could emphasize the critical nature of IS governance (as is maintained in Information Security Governance) by modifying its CobiT assessment methodology to include provisions relevant specifically to Information Security governance;
  • The FFIEC IT Examination Handbook (Information Security) includes brief introductory material, described as “Security Process,” that explains the importance of security governance. However, the centrality of governance could be further strengthened by including governance-related items in the “Examination Procedures.”
  • Professional organizations and governmental oversight agencies must examine whether a robust information security governance structure can realistically focus upon the process of accountability only, or should a governance structure also include expectations for certain outcomes-such as a comprehensive and consistent security program.

Although professional organizations and oversight agencies can stimulate concern for the establishment of improved governance structures, practicing information security specialists can also increase their awareness of the significance of governance.  This is especially true when InfoSec functions are increasingly dispersed throughout an organization and the managerial “glue” necessary for a security program is running thin, or even disappearing.

It is perhaps easier-and possibly more interesting-for us to discuss the security vulnerabilities associated with Wireless Zero, or appropriate encryption methodologies for email transmissions.  But this “traditional focus on technical solutions” in information security will not solve the problem of whether our solutions are actually contributing to an organization-wide security program.  Indeed, the real focus must be on whether we actually have an organization-wide security program.


  1. SecurityExec Aug 8, 2008 at 5:35 pm | Permalink

    I think it’s great that such an article has been written. Despite having a somewhat vested/biased interest on the topic (I am a security executive) I think there are some very relevant points that are compounding the problem of governance (and, ultimately, the overall effectiveness of information security.) Governance and accountability are arguably what’s needed most to help truly achieve better information security across the board. Unfortunately, as we’ve seen too often, the regulatory agencies, lawmakers, and industry itself shy away from establishing accountability. It’s much easier (politically) to continue to focus on the technology rather than address the real issue. Business leaders are always going to look for the path of least resistance – hence the reason we’re seeing a lot of companies revert to positioning security and risk managers/executives down the corporate ladder, usually back into the technology ranks. Until someone steps up (the regulators/agencies should have been leading the way on this long ago considering their increasing talk about the need to improve security of financial information) the business world simply isn’t going to accept more responsibility or accountability than it absolutely has to. That directly translates into security, privacy, and risk management reverting back to operational and technology-specific roles rather than being at the level needed for efficacy – closer to the executives and Boards of Directors.

  2. Bouch Aug 19, 2008 at 2:05 pm | Permalink

    I work for a federally funded research and development center that has to abide by a variety of government regulations, such as the NISPOM that clearly identifies roles within information security. In short, the ISSO’s are the hands on computer security folks separate from the regular IT staff. They report to the ISR’s who work on the policies, procedures, and certifications. The ISR’s are the pawns of the ISSM who oversees the entire security posture similar to a CISO. However, these government regulations are not enforced within the private sector. Hopefully, as corporations keep being infiltrated and sensitive customer information is leaked publicly, the citizenship will stand up for a universal information security standard for private corporations.

Post a Comment

Your email is never published nor shared. Required fields are marked *