Micki Krause

Corporate Governance: A Dirty Word or a Dirty Job?

Corporate governance is in the limelight. No one wanted it, not many embrace it. But it’s here and here to stay, thanks to the horrifying outcomes vis-a-vis criminal activity leading to the failures of Enron, Worldcomm and the likes.

In the newly published anthology, CISO Leadership: Essential Principles for Success [Auerbach Publications, New York, 2008], Robert Coles and Rolf Moulton explore governance as it relates to information security. In chapter 13, entitled “Extending the Enterprise’s Governance Program to Information Risks” the authors provide an eye-opening and somewhat threatening stance:  “In this litigious age, governance failures could result in damaged careers, shareholder lawsuits or corporate collapse.”

However, because the focus is on compliance with Sarbanes Oxley, Basel II and other knee-jerk regulations, it may be worthwhile to put corporate governance into perspective. The authors position is that it can be leveraged to strengthen information security. Further, since governance is amorphous at best, the authors declare their stance as “Our definition of information security governance is the establishment and maintenance of the control environment to manage the risks relating to the confidentiality, integrity and availability of information and its supporting processes and systems.”

One Comment

  1. Matt Barney Sep 22, 2008 at 11:02 pm | Permalink

    I appreciate your coverage of governance issues. Having worked with numerous boards myself, I’m often surprised at how they often ignore systematic risk management methods themselves when selecting new trustees (e.g. leadership assessments), establishing charters, and effectively assessing their board member and team effectiveness. I fear that they consider the same sort of information on their CEO (e.g. pre-hire selection assessments; multisource evaluations) too infrequently prior to staffing and ultimately firing the CEO.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*