Blending Corporate Governance with Information Security

Abstract

Information security requires CEO attention in their individual companies and as business leaders seeking collectively to promote the development of standards for secure technology.

Furthermore, Boards of directors should consider information security an essential element of corporate governance and a top priority for board review.

In establishing this approach, there are five principles that will help guide executive thinking:

1. 1.

   The first principle is that the CEO must get involved in the understanding of the security program, the measurement of that program and the relation that program has to business operations.

2. 2.

   The second principle is that the organization itself has to understand that information assets must be thought of as being as measurable and as tangible as buildings and plants and other valuable business infrastructure

3. 3.

   The third principle is that we must follow the information and not the system.

4. 4.

   The fourth principle is that we evaluate the information security services that have been implemented and find a way to validate that they are working.

5. 5.

   The fifth principle, every bit as important as the others, is that it is vital for organizations to analyze where they stand in their information security governance efforts compared to others in their industry.

To implement these principles, information security stakeholders need to make significant shifts in their perspective. Such shifts allow them to ask the right questions, make better decisions, and select actions appropriate to the effective governance of enterprise security. We will explain these shifts. The next point is to divide the work across five areas of responsibility.

According to our principles, we will describe a framework addressing all components of the enterprise security program not just the technical components.