One way to address this issue is by utilizing an information security council. An information security council is a cross-functional group capable of bringing together a broad range of perspectives within a senior oversight body. Structured correctly, a council can be an extremely efficient way of managing the information security program and, more importantly, reinforcing that information security is a business issue, not an IT issue.
The council would be responsible for evaluating issues and authoring policy, even making recommendations on procedures. By incorporating broad input from the various control and operational areas, policies will carry more weight, not only because they have already been fully vetted with senior managers, but because the council members will support them within their own functional areas as well.
The council should also oversee the annual information security risk assessment, staff training and the report to the board of directors on the state of the information security program.
There are a number of design attributes that are critical for an information security council to be successful. The council must:
- Include senior level participation. Unless members are senior enough to be able to make decisions and influence others within the organization the council may risk becoming a paper tiger. Having senior managers, with operating authority, allows the council to not only make strategic decisions, but see that those decisions are supported within the organization.
- Have the authority to set policy. The council must have the ability to develop and publish policies, starting with the information security policy itself, as well as operating policies, (e.g., those governing email usage, USB devices, instant messaging, etc.) Typically a policy that affects the entire organization would come from the council whereas more granular policies, such as the frequency of router password changes, would remain within their functional areas.
- Be cross-disciplinary. The value of the council is in bringing different perspectives to emerging issues and in drafting policy. Therefore, the council should ideally have representatives from not just IT, but legal, compliance, human resources, internal audit, risk management, operations and information security. The membership should represent only those areas that have definitive input into policy creation. Other areas such as marketing, analytics, eCommerce, credit administration would more likely be invited on a case by case basis to address specific issues but wouldn't normally be part of policy making when it comes to information security.
- Be highly visible. People need to know who the council members are so that when policies are published those policies don't end up in an endless cycle of "OK, but was this approved by legal? By HR?" Yes, it was.
- Be safe. One of the tremendous benefits of a governing body of mixed disciplines is as a learning environment. The council format provides an opportunity to break down communication barriers between business units. When discussing issues, regardless of the complexity of the issue from anyone's perspective, it is incumbent on them to explain the issue in ways that all council members can understand. It must be safe to ask any question, no matter how elementary.
The council can even be used for explicit training opportunities, helping members to understand how things like firewalls and intrusion detection systems actually work. When explained in simple language, these technologies can be extremely interesting to senior managers, particularly against the backdrop of the very real threats that they help mitigate.
What participants will find is that, over time, as members learn from each other and work through complex issues taking multiple perspectives into consideration that they become each other's eyes and ears. The representative from legal may spot something that is a technical risk. IT representatives will become more adept at spotting potential compliance issues. HR may proactively identify something that is a process risk. One of the central truths of effective risk management is that the more people know about other operating areas, the better their ability to identify and manage risk. In this way, an information security council can be a powerful tool in information security governance.
About the author:
Eric Holmquist is the vice president and director of operations risk management at Advanta Bank Corp. He has over 25 years experience in the financial services industry and is a frequent industry author and speaker. He is responsible for the development and oversight of the bank's operational risk management program. In addition, Holmquist chairs the operational risk management for IT committee through the Risk Management Association. He is the author of Risk-Sizing ORM – Scaling Operational Risk Management For The Small To Mid-sized Market, is a contributing author to Operational Risk 2.0 (2007) and The Advanced Measurement Approach to Operational Risk (2006).