Information Security Governance Best Practices

Data breaches will happen. It’s not a question of if, but when. Whether it’s criminals hacking Sony Pictures or attackers causing a massive data breach at Anthem Medical, all industries are vulnerable to a cyber attack. The impact is often quite damaging: legal liabilities, brand reputation, lack of trust from customers and partners, and ultimately, revenue. The average cost of a data breach is now up to $4 million, according to a 2016 Ponemon study.

As data use continues to grow, organisations face the challenge of properly creating strategies, framework and policies for keeping sensitive data secure. Meanwhile, criminals develop new and sophisticated tactics to target valuable data.

Security is, and should be, a concern for all employees in an organisation. However, leadership must be responsible for establishing and maintaining a framework for information security governance. Information security governance is defined as a subset of enterprise governance that provides strategic direction, ensures objectives are achieved, and manages risks while monitoring the success or failure of an enterprise security program.

Whether it is the board of directors, executive management or a steering committee — or all of these — information security governance requires strategic planning and decision-making.

Best Practices

Despite the threats of cyber attacks and data breaches, organisations can take proactive steps to better position themselves for successful security governance. What follows are five strategic best practices for information security governance:

1. Take a holistic approach

Security strategy is about aligning and connecting with business and IT objectives. A holistic approach can provide leadership with more levels of control and visibility.

What data needs to be protected? Where are the risks? Take a unified view of how information security impacts your organisation and how employees view security. Get early buy-in from key stakeholders, such as those in the IT, sales, marketing, operations and legal departments. Scope out what data needs to be protected and how that fits into the larger picture.

2. Increase awareness and training

Although developed by leadership, information security governance speaks to all employees with the organisation and requires continued level of awareness. Governance creates policies and assigns accountabilities, but each member is responsible for following the security standards.

Constant training and education on security best practices is vital. The cyber threat landscape is rapidly changing and employees, and company training, must keep up. This way, if new threats emerge, your organisation will be prepared.

3. Monitor and measure

Information security governance should never have a “set it, then forget it” approach. It’s about ongoing assessment and measuring. Monitoring ensures that objectives are being achieved and resources are appropriately managed. What security governance policies are working? Which policies are not?

Conduct mock data breach scenarios to test the efficacy of corporate teams and company incident response plans. Test results can reveal strong and weak links — what an organisation needs to concentrate on, and what security governance policies work well under pressure.

4. Foster open communication

Stakeholders should feel they can openly communicate directly with leadership, even when sharing bad news. Open communication promotes trust and brings a higher level of visibility throughout the organisation.

Engagement is key. Consider creating a steering committee comprised of executive management and key team leads (IT, marketing, finance, PR, legal, operations, etc.) to review and assess current security risks.

5. Promote agility and adaptability

Gone are the days of monolithic, cumbersome governance; organisations need to adapt quickly to meet the changing tide of security threats. IT management, which is typically concerned with making tactical decisions to mitigate security risks, might have some hands-on experience and opinions about the effectiveness of a particular security policy, but their recommendations can only go so far without C-suite support. Leadership must quickly determine how to implement suggested changes throughout the organisation. And if a security governance policy is ineffective, leadership must be willing to jettison the policy.

Overall, successful information security governance involves a continuous process of learning, revising and adapting. Organisations need to be proactive and strategic with their security posture. Threats and incidents are inevitable, but moving strategic security governance to the forefront of your organisation can help protect valuable information.

Download the full Diligent white paper: Five Best Practices for Information Security Governance