Get Instant Access
to This Blueprint

Security icon

Implement a Security Governance and Management Program

Align security and business objectives to get the greatest benefit from both.

  • The security team often doesn’t understand business goals.
  • The organization lacks direction regarding security initiatives and how to prioritize them.
  • Risks are not treated appropriately.

Our Advice

Critical Insight

  • Business and security goals should be the same. Businesses cannot operate without security and security's goal is to enable safe business operations.
  • Security governance supports security strategy and management. These three elements create a protective arch around business operations, and governance is the keystone. It seems like a small aspect, but it holds the whole program together.
  • Governance defines the laws, but they need to be policed. Governance sets standards for what actions are permitted, but only management can verify that these standards are being observed.

Impact and Result

  • Your security governance and management program needs to be aligned with business goals to be effective.
  • This approach also helps to provide a starting point to develop a realistic governance and management program.
  • This project will guide you through the process of implementing and monitoring a security governance and management program that prioritizes security, while keeping costs to a minimum.

Implement a Security Governance and Management Program Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should implement a security governance and management framework, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.


Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

9.5/10


Overall Impact

$91,699


Average $ Saved

35


Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

NMB BANK PLC.

Guided Implementation

10/10

$12,399

50

The University Of Manchester

Guided Implementation

9/10

$171K

20

Weston Foods (Canada) Inc

Guided Implementation

8/10

N/A

5

DAI Global, LLC

Guided Implementation

9/10

$12,399

5

Elementis Specialties

Guided Implementation

10/10

N/A

120

City of Kirkland

Guided Implementation

10/10

N/A

N/A

Allegis

Guided Implementation

10/10

$2,546

5

Clark Schaefer Hackett

Guided Implementation

10/10

$3,820

20


Security Management

Establish the missing bridge between security and the business to support tomorrow's enterprise with minimal resources.
This course makes up part of the Security & Risk Certificate.


Now Playing: Executive Brief

An active membership is required to access Info-Tech Academy
  • Course Modules: 4
  • Estimated Completion Time: 1.5 - 2 hours
  • Featured Analysts:
  • Jessica Ireland, Research lead, Security Practice
  • Logan Rohde, Research Analyst, Security Practice

Implement a Security Governance and Management Program

Align security and business objectives to get the greatest benefit from both.

ANALYST PERSPECTIVE

So, you’ve got a security program, but is it really working for you?

"Cybersecurity is rapidly becoming a non-negotiable requirement for modern businesses to operate in today’s threat landscape. Yet all too often, there is still disagreement among business leaders and cybersecurity professionals about how much security is enough, too much, or just right. The key to resolving this dilemma is to implement a security governance and management program that is aligned with business goals. This implementation begins with a risk tolerance assessment that takes both security objectives and business goals into account so that both sides can understand each other’s point of view. Once this understanding has been reached, your organization will be in a position to develop strong security practices that enable business operations – not impede them."

Logan M. Rohde

Consulting Analyst, Security, Risk, & Compliance

Info-Tech Research Group

Our understanding of the problem

This Research Is Designed for:

  • CISOs, CSOs, CEOs, CIOs, IT leaders, and business leaders who would like to improve alignment between security and business activities, optimize security resources, implement an effective risk mitigation strategy, and improve the transparency of security initiatives.
  • CISOs, CSOs, and CIOs who would like to better support the business.

This Research Will Help You:

  • Develop a comprehensive information security governance and management framework.
  • Apply your security governance framework to your organization and create a roadmap for implementation.
  • Develop a metrics program to monitor and improve your security governance program.

This Research Will Also Assist:

  • CEOs, CFOs, and other business leaders
  • Business stakeholders that are continually affected by security

This Research Will Help Them:

  • Understand the value of information security governance and management as it has the ability to close any security gaps.

Executive summary

Situation

  • Security programs tend to focus on technology to protect organizations while often neglecting the people, processes, and policies needed to manage the program.
  • It seems daunting and almost impossible to govern all the aspects of a security program.

Complication

  • This leads to several problems:
    • The security team often doesn’t understand business goals.
    • The organization lacks direction regarding security initiatives and how to prioritize them.
    • Risks are not treated appropriately.

Resolution

  • Your security governance and management program needs to be aligned with business goals to be effective.
  • This approach also helps to provide a starting point to develop a realistic governance and management program.
  • This project will guide you through the process of implementing and monitoring a security governance and management program that prioritizes security while keeping costs to a minimum.
  • Start by defining your organization’s risk tolerance to begin the process of aligning security objectives with business goals.
  • Develop a governance framework that supports these aligned objectives and goals.
  • Manage the governance program through regular audits, metrics tracking, and regular review of the framework’s successes and shortcomings.

Info-Tech Insight

  1. Business and security goals should be the same. Businesses cannot operate without security and security's goal is to enable safe business operations.
  2. Security governance supports security strategy and management. These three elements create a protective arch around business operations, and governance is the keystone. It seems like a small aspect, but it holds the whole program together.
  3. Governance defines the laws, but they need to be policed. Governance sets standards for what actions are permitted, but only management can verify that these standards are being observed.

Decide between a security governance or a security strategy focus

This blueprint is for…

This blueprint is intended for organizations that presently do not have a governance framework and are looking to begin the process of building one.

Developing a governance framework is a large undertaking; it’s important to start small to make the project manageable.

In this blueprint we will focus on the following steps:

  • Aligning business goals and security objectives.
  • Setting an appropriate risk tolerance and monitoring threats.
  • Deploying three lines of defense.
  • Developing policies, charters, and defining organizational structure.
  • Tracking security metrics and the importance of regular audits.
  • And more!

In some cases, it’s better to work backwards…

For less-mature organizations, it might be more appropriate to start by developing a security strategy to outline the basics before developing a governance framework.

Info-Tech’s blueprint Build an Information Security Strategy will walk you through the process of creating a security program specific to your organization. It focuses on the following processes:

  • Assessing security requirements
  • Building a gap initiative strategy
  • Prioritizing security initiatives

Info-Tech’s framework integrates several best practices to create a best-of-breed security framework

A list of Info-Tech's Information Security Framework blueprints is shown in an image and divided based on type of security.

Discard your preconceptions about security and business being at odds with each other

Ultimately, both the security and business ends of the organization are interested in the same goal: the organization’s continued success.

It’s true that both groups have different ideas about what the organization’s ideal state is, but security and the business have more in common than they do in conflict. They just aren’t used to seeing it that way.

An image is shown with three text boxes side by side. The first text box is labelled Business Goals, with an addition beside it. After is a box labeled Security Objects. There are arrows connecting the two text boxes. There is am equal side leading to the final text box labeled Organizational Success.

Business goals and security goals are related and have a tendency to affect each other, making business-security alignment an iterative process that takes ongoing effort. This effort is well worth it as it leads to maximum cooperation and thus maximum efficiency.

Resolve the tension between business and security

It is true that business leaders and security professionals have different ideas about what an organization’s ideal state is, but this difference can be overcome with a little understanding.

The ideal business state:

  • Operations run easily and efficiently.
  • High risk tolerance; no serious incidents.
  • Strong all-around security with no compromise to convenience or ease of use.
  • Low-cost security.

The ideal security state:

  • Business engages in no risky behavior.
  • Low risk tolerance; no incidents.
  • Security prioritized over convenience.
  • Adequate budget to enable comprehensive security.

What both parties must understand:

  • Without adequate security, the business takes serious risks that may have serious consequences.
  • Without smooth business operations, there would be no jobs for security professionals.
  • Therefore, security goals are business goals and business goals are security goals.

Position yourself for success by integrating security into your overall governance framework

Security and the business end of the organization need to work together to achieve their shared goals, and good governance will set both of them on the road for success.

  • Yet it should be understood that security is the focus. Going forward, convenience must take a backseat to security in order for security governance to actually have an effect on the organization; however, convenience is a risk that should be managed rather than removed – a total security lockdown won’t improve business outcomes, but good governance will.

Security governance is an integral part of IT governance and corporate governance.

Security governance involves the following activities:

  • Evaluating current security activities and their impact on business objectives.
  • Providing direction for the security team by setting an appropriate risk tolerance, allocating investments and resources, etc.
  • Developing a security charter and organizational structure.
  • Ensuring compliance.

The Security Governance Framework

A security governance framework is a system that will design structures, processes, authority definitions, and membership assignments that lead the security department toward optimal results for the business.

Governance is performed in three ways:

  1. Evaluate
  2. Governance ensures that business goals are achieved by evaluating stakeholder needs, criteria, metrics, portfolio, risk, and definition of value.

  3. Direct
  4. Governance sets the direction of information security by delegating priorities and determining the decisions that will guide the organization.

  5. Monitor
  6. Governance establishes a framework to monitor performance, compliance to regulation, and progress on expected outcomes.

"Governance specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks. Management recommends security strategies. Governance ensures that security strategies are aligned with business objectives and consistent with regulations."

– EDUCAUSE

Allow security to become a business enabler

Remember: security objectives are business objectives too.

  • It is true that without good governance security programs often fail to produce results.
  • However, it is also true that without good governance security programs can become too restrictive, preventing the business from operating smoothly.
  • The goal is to create an effective governance framework that keeps the business safe, but also running smoothly – not just adding security, but the right level of security.
A venn diagram is shown. In the big circle on the left there is text: Understanding Business needs. In the big cirlce on the right is text: Effective governance. In the small area covered by both cirlces is the text: Right level of security.

Notice the need for security governance

Boards who actively participate in developing security strategy:

44%

✓ Including the board in governance discussions helps to align business & security goals.

Source: PwC, 2018

US organizations who agree compliance requirements are effective for improving security:

74%

✓ Having a proper governance framework helps ensure compliance obligations are met.

Source: Thales, 2018

Boards of directors confident their organization is properly secured against cyberattack:

37%

✓ Governance promotes the development of security controls to protect information assets.

Source: NACD, 2017-18

Professionals wanting a security budget increase of up to 50%:

87%

✓ Developing a governance framework helps you get the most out of your security budget.

Source: EY, 2017-18

Government security professionals who note carelessness or lack of training as the biggest security risk:

54%

✓ Governance can help ensure training and awareness needs are met.

Source: SolarWinds, 2017

Create impactful security governance by embedding it within enterprise governance

The business should engage in security governance and security should influence the direction of the business.

Enterprise Governance

Enterprise governance falls into the authority of the board and executive management.

Responsibilities include:

  • Provide strategic direction for the organization.
  • Ensure objectives are met.
  • Set the risk standards/profile.
  • Delegate resources responsibly.

Security Governance

Security governance is a component of enterprise governance.

Responsibilities include:

  • Build structure, authority, process, and membership designations in a governance framework.
  • Ensure cybersecurity department is aligned with business goals.
  • Influence the direction of the business to ensure business success.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keeps us on track."

Workshop

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks are used throughout all four options.

Implement a Security Governance and Management Program– project overview

1. Align Business Goals With Security Objectives

2. Develop an Effective Governance Framework

3. Manage Your Governance Framework

Best-Practice Toolkit

1.1 Appreciate what security governance is in relation to management and strategy

1.2 Plan for common security governance and management challenges

1.3 Understand the benefits of security governance

1.4 Prepare a business case to present to the board

1.5 Assemble the security governance steering committee

1.6 Set an appropriate risk tolerance

2.1 Blend the best of COBIT and NIST

2.2 Understand your three lines of defense

2.3 Support your first line of defense with a Security Governance Center of Excellence

2.4 Create a governance charter, policies, and organizational structure

3.1 Track metrics governance-related metrics to streamline your initiative

3.2 Internally audit your security program

3.3 Reassess your governance framework

Guided Implementations

  • Understand what security governance means for you
  • Governance Development Checkpoint I
  • Developing an effective framework
  • Governance Development Checkpoint II
  • Metrics, audits, and why they matter
  • Governance Development Checkpoint III

Phase 1 Outcome:

  • Business Case Presentation Deck
  • Information Security Steering Committee Charter
  • Risk Register

Phase 2 Outcome:

  • Information Security Charter
  • Security Governance Organizational Structure

Phase 3 Outcome:

  • Security Metrics Assessment

Workshop overview

Workshop Day 1

Workshop Day 2

Workshop Day 3

Workshop Day 4

Workshop Day 5

Activities

Governance Modeling

  • Kick-off and introduction to workshop methodology.
  • Discuss governance-related responsibilities.
  • Create governance model.

Steering Committee and Policy Process

  • Establish steering committee membership.
  • Complete documentation to support steering committee creation.
  • Determine policy structure, scope, and approval and exceptions process.

Security as a Service

  • Continue policy work as needed.
  • Discuss security service offerings and how they support the business.
  • Review existing documentation or other records of services.
  • Complete security service catalog.

Metrics and Continuous Improvement

  • Address the need for metrics.
  • Determine where metrics will be sourced from.
  • Establish security-business alignment and appropriate metrics.
  • Discuss presenting metrics to various audiences.

Offsite Review

  • Formalize deliverables.
  • Schedule subsequent analyst calls.
  • Schedule feedback call.

Deliverables

  1. Information Security Steering Committee RACI Chart
  2. Governance Model
  1. Steering Committee Charter
  2. Information Security Policy Charter
  3. Policy Hierarchy
  4. Security Policy Framework Prioritization Tool
  5. Policy Exception Handling Process Diagram
  1. Policy Exceptions Tracker and Risk Register
  2. Policy Exception Request Form
  3. Information Security Service Catalog
  1. Business Goal Metrics Tracking Tool
  1. Finalized deliverables

Phase 1

Align Business Goals With Security Objectives

Step 1: Align Business Goals With Security Objectives

This step will walk you through the following activities:

  • Plan for common security governance and management challenges.
  • Understand the benefits of security governance.
  • Prepare a business case to present to the board.
  • Assemble the security governance steering committee.
  • Set an appropriate risk tolerance.

This step involves the following participants:

  • Cybersecurity
  • Business leaders and decision makers
  • Risk specialists

Outcomes of this step

  • Improved understanding of governance benefits and challenges.
  • Created business case presentation deck.
  • Formed Governance Steering Committee.
  • Improved understanding of business and security approaches to risk management.
  • Defined risk tolerance.

Phase 1 outline

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 1: Align Business Goals With Security Objectives

Proposed Time to Completion: 4-6 weeks

Step 1.1: Understand What Security Governance Means for You

Start with an analyst kick-off call:

  • Discuss security governance, strategy, and management.
  • Understand the importance of business-security alignment.
  • Discuss how to begin setting an appropriate risk tolerance.

Then complete these activities…

  • Prepare a business case to present to the board.
  • Assemble the security governance steering committee.
  • Establish risk tolerance.

With these tools & templates:

Information Security Governance Business Case Template

Information Security Steering Committee Charter

Security Risk Register Tool

Step 1.6: Governance Development Checkpoint I

Review findings with analyst:

  • Discuss progress with getting executive support.
  • Address challenges with assembling steering committee.
  • Discuss progress on establishing risk tolerance and deploying risk register.

Then complete these activities…

  • Fine-tune the business case presentation.
  • Finalize steering committee charter.
  • Continue identifying and assessing risks.

Phase 1 Results & Insights:

  • Business case presentation deck and ability to argue for business-security alignment.
  • Steering committee to oversee the governance initiative.
  • How to set an appropriate risk tolerance and the advantage of a high risk tolerance.

1.1 Appreciate security governance in relation to security management and strategy

There are three elements that make up an effective security program: governance, strategy, and management.

These elements do overlap with each other and the terms are sometimes used interchangeably. However, each refers to a specific element of the overall security program and it’s important to account for them.

Governance:

  • Organization’s framework for how the business will operate in accordance with security controls/protocols.
  • Overarching set of policies and charters detailing an organization’s expectations for minimizing risk.
  • Developed via risk tolerance assessment.
  • Used to align security objectives and business goals.
  • Maintained through regular audits.

Strategy:

  • Organization’s approach towards mediating the risks within its risk appetite.
  • Plan for preserving data’s confidentiality, integrity, and accessibility in the face of tolerated risks.
  • Balances security pressures (e.g. compliance obligations or attackers) with business goals.
  • Executes the objectives laid out by the governance framework.

Management:

  • Driving force of the security program.
  • Ensures that both governance and strategy are operating properly and are well understood by those who need to follow it.
  • Training and awareness, audits, and tracking metrics are large components.
  • Keeps the security program acting as a business enabler rather than a business impediment.

Info-Tech Insight

As a general rule, the more mature an organization, the more these elements will be separated from each other. However, the point is not to get hung up on naming conventions – just make sure each element is accounted for to get the most from your security program.

Visualize governance as the keystone of your security program

These three basic elements: governance, management, and strategy create an arch that secures business operations, enabling them to run smoothly.

In this model, governance appears to be the smallest element of the arch. However, this does not mean it is the least important. Rather, governance is a framework that works in the background of the more active elements: management and strategy. Governance is also the keystone of the security arch, meaning that it is the essential component holding the arch together by ensuring that the other elements are adequately supported.

A model is depicted to show the relationship of governance, management, and strategy as described in the text above. There are three black boxes of management, three green boxes of strategy, and in the middle to connect the two, is one box of governance.

1.2 Plan for common security governance and management challenges

Governance is an important part of any security program. However, to implement it you’ll need to prepare for certain challenges, which may derail the whole initiative or even prevent it from getting off the ground in the first place.

  • Before attempting to get executive buy-in for the project, consider these issues not just as challenges to overcome, but also as reasons for why your organization needs a governance framework.

Non-compliance:

Security controls tend to interrupt the flow of people's day-to-day habits, so it's not uncommon for them to continue doing things the “easy way” if they experience no consequences or they see others not following the rules.

  • Countering these behaviors is exactly why a governance framework is needed.
  • Without well-defined controls in place, security will continue to be an afterthought for end users.

Enforcement:

It can be hard to see what everyone is doing at every minute of the day, which is why it is important to establish a mandatory governance framework. Ensure managers, directors, and executives follow the framework and supporting policies.

  • The governance framework will need maintenance to ensure it is working properly.
  • This is why management is a necessary component of any governance initiative.

Budget:

The old belief that business operations make money and security costs money can be a hard mindset to break. Fortunately it is getting easier to convince business leaders to invest in security.

  • Convincing them to invest in the most worthwhile security protocols can still create some friction.
  • Strategy should be developed alongside governance to prioritize security needs.

Info-Tech Insight

A governance framework is meant to increase an organization’s collective safety. For governance to be effective, its controls must be observed as the laws of the land by everyone from the CEO down to the most recent entry-level employee.

Challenges continued

Non-compliance, enforcement, and budget are broad challenges made up of more-specific issues.

  • Be sure to consider how the following might present unique obstacles for your organization’s governance initiative – each one presents a specific talking point that you can use to highlight a problem and how you plan to solve it, thus convincing executives of the value of security governance.
  • Rest assured, this blueprint will prepare you for meeting these challenges!

Governance Challenges

  • Getting security policies approved by management.
  • Communicating security policies within the organization.
  • Establishing security organizational structure.
  • Prioritizing and initiating security objectives.
  • Defining an appropriate risk tolerance.
  • Securing business initiatives.
  • Keeping up with compliance obligations.
  • Incorporating security into IT system design.

Management Challenges

  • Managing IT systems effectively.
  • Managing security processes effectively.
  • Dealing with security incident management effectively.
  • Developing a metrics program to track governance efficacy.
  • Conducting regular internal audits.
  • Overseeing managed security service providers.
  • Responding to physical security issues.
  • Implementing regular training and awareness.
  • Enforcing policies consistently across all departments.

1.3 Understand the benefits of security governance

There are many advantages to a well-defined governance framework, but focusing on the ones below will help you gain support and get the project approved.

A governance framework will help to…

  1. Enhance security culture
    • Governance provides a solid foundation to develop strong security controls.
    • Allows for security decisions to be made ahead of time so that firefighting-style responses and ad hoc decision making can be avoided.
  2. Improve incident management
    • Problems can and will arise, but a governance framework helps speed up remediation.
    • Defines the state the organization must return to.
  3. Reduce costs
    • Investing in security now helps prevent huge costs associated with data breaches later.
    • Remember: not all costs are monetary; reputational damage can also be very costly.
  4. Meet compliance obligations
    • Reporting and other duties easily become challenges when firm security controls are not in place.
    • Some regulations (e.g. GDPR) may impose additional fines if security controls are inadequate.

Info-Tech Insight

A governance framework is what holds an organization's security posture upright. Without one, an organization’s overall security can become too lax, posing additional risks to the health and longevity of the business.

1.4 Prepare a business case to present to the board

There’s no way around it: implementing a governance framework is going to cost money, so it’s important to demonstrate why it’s a worthwhile investment.

Business Case Talking Points

  • IT security is not the same as IT.
  • Security is meant to enable business.
  • No longer simply a cost, but a necessary protection.
  • Not necessarily a massive overhaul, but a fine-tuning, development, and formalization of processes already in place.
  • Helps to cement organization's internal culture, interests, and politics around security.
  • Removing red tape so the CISO can act in the best interest of the company.
  • Design security policies to meet compliance obligations.
  • Above all: managing risk (by identifying it in the first place).

Consider using these talking points to structure your business case presentation.

Info-Tech Insight

Security controls can restrict business operations. In today's cybersecurity landscape there are too many threats to not have some protection. A business can’t operate without security and security must enable business operations. The two need to cooperate to ensure an organization's (continued) success.

Use Info-Tech’s business case template to convey the need for security governance

1.4 Information Security Governance and Management Business Case Template

Use this presentation deck as a starting point for your own business case presentation by following these steps:

  1. Review each slide.
  2. Customize the text to tailor the information to match your organization’s needs.
  3. Add additional material to address any unique challenges your organization faces.
  4. Present to board or other approving body.
Screenshots from the Information Security Governance and Management Business Case Template, are shown.

Info-Tech Best Practice

When giving this presentation, remember to emphasize the need to set an appropriate risk tolerance. This is a key part of security-business alignment (step 1.6 of this blueprint).

1.5 Assemble the Information Security Steering Committee (ISSC)

Once the governance plan has the green light, you will need to create a steering committee to:

  • Develop the policies that will make up the governance framework.
  • Verify that the governance implementation is on schedule and going to plan.
  • Offer guidance for effective management.

The steering committee membership should represent security and business personnel equally to make the process as democratic as possible.

  • Your steering committee should contain approximately six people.
  • This amount allows for various view points to be represented while balancing the need to get things done.
  • Avoid committees with more than eight people; they tend to struggle with decision making.

Check out Info-Tech’s resources on using an ISSC, including the blueprint, Improve Security Governance With a Security Steering Committee.

Info-Tech Insight

When deciding on steering committee participants, don’t forget to account for the unique qualities of your organization. It may be appropriate to include members from outside security or business-related departments, such as HR, particularly if your organization needs to protect a lot of sensitive employee data.

Typical ISSC responsibilities and duties

Use the following list of responsibilities to customize the list of responsibilities your ISSC may take on. These should link directly to the Responsibilities and Duties section of your ISSC charter.

Strategic Oversight

  • Provide oversight and ensure alignment between information security governance and company objectives.
  • Assess the adequacy of resources and funding to sustain and advance successful security programs and practices for identifying, assessing, and mitigating cybersecurity risks across all business functions.
  • Review controls to prevent, detect, and respond to cyberattacks or information or data breaches involving company electronic information, intellectual property, data, or connected devices.
  • Review the company’s cyber insurance policies to ensure appropriate coverage.
  • Provide recommendations, based on security best practices, for significant technology investments.

Policy Governance

  • Review company policies pertaining to information security and cyber threats, taking into account the potential for external threats, internal threats, and threats arising from transactions with trusted third parties and vendors.
  • Review privacy and information security policies and standards as well as the ramifications of updates to policies and standards.
  • Establish standards and procedures for escalating significant security incidents to the ISSC, board, other steering committees, government agencies, and law enforcement, as appropriate.

Risk Governance

  • Review and approve the company’s information risk governance structure and key risk management processes and capabilities.
  • Assess the company’s high-risk information assets and coordinate planning to address information privacy and security needs.
  • Provide input to executive management regarding the enterprise’s information risk tolerance.
  • Review the company’s cyber response preparedness, incident response plans, and disaster recovery capabilities as applicable to the organization’s information security strategy.
  • Promote an open discussion regarding information risk, and integrate information risk management into the enterprise's objectives.

Monitoring & Reporting

  • Receive periodic reports and coordinate with management on the metrics used to measure, monitor, and manage cyber and IT risks posed to the company and to review periodic reports on selected risk topics as the committee deems appropriate.
  • Review reports provided by the IT organization regarding the status of and plans for the security of the company’s data stored on internal resources and with third-party providers.
  • Monitor and evaluate the quality and effectiveness of the company’s technology security, capabilities for disaster recovery, data protection, cyber threat detection, and cyber incident response, and management of technology-related compliance risks.

Customize Info-Tech’s Information Security Steering Committee Charter to suit your organization’s needs

1.5 Information Security Steering Committee Charter

Use this template to create an information security steering committee charter that accounts for your organization’s unique needs.

This charter will help ensure that your security governance program gets the attention it deserves by:

  • Outlining roles and responsibilities of committee members.
  • Defining the approach to security governance, supporting policies, overall strategy, and risk management.
  • Prescribing committee’s procedures.

Screenshots of the Information Security Steering Committee Charter are shown.

Info-Tech Best Practice

This package contains a RACI chart to help you document members’ roles and responsibilities. Be sure to review the various jobs listed as they will help you get started with defining the needs of your own governance initiative.

Discuss your organization’s ideal security state

1.5 90 minutes

Once the steering committee is established, they’ll need to get to know each other and learn what other members value. To help facilitate this process, have cybersecurity and business leaders talk to each other about their ideal scenarios for the organization.

Follow this process:

  1. Divide into departmental teams.
  2. Have each team prepare a mini presentation explaining their goals and why they're important.
  3. Allow the other team(s) to give constructive rebuttals for elements of the other teams’ presentations they disagree with.
  4. Avoid starting fights (this isn’t the point); the goals for this exercise are to:
    • Discuss possible solutions or compromises.
    • Begin conversations around risk tolerance.
    • Have the steering committee get a sense of what the organization's risk tolerance actually is, not where they think it is or wish it to be.

Things to consider when making presentations:

  • Past incidents and their costs.
  • Alignment of security and business goals.
  • Compliance obligations.
  • Industry’s threat landscape.
  • Business pressures.
  • Resources.
  • Consequences of losing various data types.
  • Point when a security incident would prevent business operations.
  • Roles and responsibilities.

Info-Tech Insight

Many organizations think of themselves as having a low risk tolerance. However, upon closer inspection of what they are willing to tolerate, these same organizations often fall into the moderate risk tolerance category.

Set an appropriate risk tolerance

To get business and security operations to align, they will need to agree on an acceptable level of risk (i.e. what they are willing to tolerate). This is the basis of the entire governance initiative.

There are two parts to setting a risk tolerance:

  1. Surveying possible risks (assess as many as possible) to decide which ones you are and are not willing to accept.
  2. Evaluating each risk individually to determine at what point it would become intolerable.
    • Remember to account for compliance obligations while completing these activities.
A graph is shown that is titled: Risk Tolerance-Curve. The x-axis is labeled Impact, and the y-axis is labeled frequency. A curve starting at the top of the graph and going downward and to the right is labeled risk tolerance.

Risk tolerance is based on a threat’s frequency and impact. More-severe risks can be tolerated provided their frequency is low. Business and security can align by agreeing what is and is not an acceptable risk.

Organizations cannot simply hope they won't be breached – or worse, assume they won't because they avoided it so far. 50% of US retailers suffered a data breach in 2017.

Sources: “2018 Thales Data Threat Report”; “Cisco 2017 Annual Cybersecurity Report”

% of business opportunity lost from a data breach

58% Lost = < 20%

25% Lost = < 20-40%

9% Lost = < 40-60%

5% Lost = < 60-80%

4% Lost = < 80-100%

Visualize the advantages of a high risk tolerance

Think of your risk tolerance like a mountain: the base represents the risks your organization can comfortably tolerate, while the summit represents the limit of your risk tolerance. For a risk to become intolerable, its magnitude must be greater than that of the mountain’s summit.

The higher the risk tolerance, the more risks an organization can accept, thus improving the organization’s ability to operate within a given threat landscape.

In short, the bigger the mountain the better.

A visual is depicted to demonstrate risk tolerance as described in the text above.

Info-Tech Best Practice

There are advantages to a high risk tolerance, but that doesn’t mean it’s a good idea to blindly accept all risks. Set an appropriate risk tolerance to maximize business output without taking unnecessary or unwise risks. It may be worthwhile to investigate security solutions to help you increase your risk tolerance.

Use Info-Tech’s Risk Register to help set an appropriate risk tolerance and track risks

1.6 Security Risk Register Tool

  1. Use this tool to help you quantify your organization’s risk tolerance using Info-Tech’s 0-40 scale.
  2. Once you decide on a risk tolerance, enter that value on tab 4 (Results) and enter the required information for each risk your organization faces to see whether or not those risks are within the risk tolerance you’ve set.
  3. To help you get the full picture of your organization’s threat landscape, this tool allows you to track a threat’s inherent risk (to the organization) and the residual risk after deploying a mitigation strategy.
  4. The final 2 tabs will let you see all risk and mitigation details at a glance and in graphical form, making it easy to present to non-risk specialists.

Screenshots of the Security Risk Register Tool are shown.

Info-Tech Best Practice

Risk registers are valuable tools, but they are only as good as the information they contain. To get the most value from this tool, take the time to consider all possible risks. The more risks you track, the better your understanding of the overall threat landscape will be.

Track the high-level details of your compliance obligations with Info-Tech’s Information Security Compliance Template

1.6 Information Security Compliance Template

Assessing your ability to meet your compliance obligations is an important part of determining your organization’s overall risk tolerance. In many cases, these obligations will set certain standards your organization must live up to and failing to do so usually results in fines and other costs. In other words, not meeting compliance requirements and obligations is a risk not worth taking. Use this template to record the regulations your organization is subject to so that you can quickly assess what each obligation requires.

Info-Tech Insight

Sometimes, organizations aim only to be compliant rather than fully secure. However, this approach is short sighted. While compliance will limit some risks, there are still plenty of threats that exist outside of compliance obligation minimums.

A screenshot of the Information Security Compliance Template is shown.

Info-Tech Best Practice

Use compliance as a starting point, but seek to go beyond the minimum of what they ask. That way, your organization will be able to handle a variety of complex threats.

If you want additional support, have our analysts walk you through this phase as part of an Info-Tech guided implementation

Book a guided implementation with our Info-Tech analysts:

Guided implementations offer an easy way to accelerate your project. Our analysts will work with you and your team over the phone to facilitate the activities outlined in the blueprint. Getting key stakeholders together to formalize the program while getting started on developing your governance framework allows you to kick-start the overall program. Guided Implementations are included in advisory memberships and offer additional support over a do-it-yourself approach by ensuring continuous improvement of your governance initiative.

Photo of Logan Rohde.

Logan Rohde

Consulting Analyst – Security, Risk & Compliance

Info-Tech Research Group

Call 1-888-670-8889 for more information.

Phase 2

Develop an Effective Governance Framework

Step 2: Develop an Effective Governance Framework

This step will walk you through the following activities:

  • Blending the key parts of COBIT and NIST.
  • Understanding your three lines of defense.
  • Creating a governance charter, organizational structure, and supporting policies.

This step involves the following participants:

  • Cybersecurity
  • Business leaders
  • Risk specialists

Outcomes of this step

  • Improved risk management.
  • Formed Security Governance Center of Excellence.
  • Developed governance charter, supporting documents, and organizational structure.
  • Assigned roles and responsibilities.

Phase 2 outline

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 2: Develop an Effective Governance Framework

Proposed Time to Completion: 4-6 weeks

Step 2.1: Developing an Effective Framework

Start with an analyst kick-off call:

  • Discuss separation of governance and management (COBIT 5).
  • Address other challenges and how NIST helps with them.
  • Consideration for a Security Governance Center of Excellence.
  • Need for a governance charter and supporting documents.

Then complete these activities…

  • Create governance charter.
  • Draft organizational structure document.
  • Assign governance roles and responsibilities.

With these tools & templates:

Information Security Charter Template

Security Governance Organizational Structure Template

Step 2.4: Governance Development Checkpoint II

Review findings with analyst:

  • Talk through challenges with framework design and deployment.
  • Discuss structure of three lines of defense.
  • Address suitability of using a Center of Excellence.

Then complete these activities…

  • Finalize charter and organization structure (including RACI chart).
  • Establish Center of Excellence.

Phase 2 Results & Insights:

  • Information security governance charter.
  • Improved insight into organization structure and how it affects security.
  • Assignment of roles and responsibilities.
  • Establishment of Security Governance Center of Excellence.

2.1 Blend the best of COBIT and NIST

Prebuilt frameworks, like COBIT 5 and NIST’s Cybersecurity Framework, offer good starting points for developing your own governance framework.

A screenshot of the COBIT 5 logo is shown.

Image sources: ISACA; NIST

COBIT 5 provides the key insight that management and governance are separate activities and should not treated as the same. This point should be observed no matter how your governance framework shapes up.

A logo of NIST is shown.

NIST Cybersecurity Framework provides practical insights for making governance subcategories to help you develop your own framework, making sure that essentials like policy communication, role and responsibility alignment, legal and regulatory requirements, and risk management processes are included.

Info-Tech Insight

Your industry may use other frameworks, such as ISO, but this doesn’t mean you won’t benefit from studying COBIT and NIST. Most frameworks integrate well with each other.

Benefit from the wisdom of COBIT 5

COBIT reminds us not to blur the lines between governance and management; each has a unique role to play. Confusing them means wasted time and confusion around ownership.

A cycle is shown to demonstrate governance and management processes. The cycle is split in half vertically. The left side is blue and focuses on governance processes. The processes include: Evaluate, Direct, and Monitor. The right side is red and focuses on management processes. The processes include: Monitor, Run, Build, and Plan.

Governance

IT governance sets direction through prioritization and decision making, and monitors overall IT performance. Governance aligns with the mission and vision of the organization to guide IT.

Management

Management is responsible for executing on, operating, and monitoring activities as determined by IT governance. Management makes decisions for implementing based on governance direction.

Appreciate the practicality of NIST

NIST uses the following subcategories in its framework. Use these suggestions as guidelines for developing the more granular aspects of your organization’s governance initiative.

Excerpted from NIST Framework for Improving Critical Infrastructure Cybersecurity

Governance:

  • ID.GV-1: Organizational cybersecurity policy is established and communicated.
  • ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners.
  • ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed.
  • ID.GV-4: Governance and risk management processes address cybersecurity risks.
NIST logo is shown.

Following this blueprint will set you up to meet these goals!

3.1 Understand your three lines of defense

The three lines of defense risk management framework originally emerged after the dot-com bubble burst in the mid-to-late ’90s, and it became standard in the financial industry after the 2008 banking crisis. However, its principles can be applied to any industry as a risk management technique. Incorporating the three lines of defense into your cybersecurity governance framework will help you identify and manage risk and ensure that your controls are providing the desired result.

"Cyber risks: Everyone is talking about them, but most aren’t quite sure how to handle them"

– Christophe Veltsos, InfoSec, Risk, and Privacy Strategist

Minnesota State University, Mankato

First Line of Defense: Business Management

  • Made up of managers who own and make decisions about risk (i.e. what actions are or are not permitted under the organization’s risk policies).
  • Includes cybersecurity, who offers guidance for good decision making, but cannot veto decisions after they’ve been made.
  • Addresses actual risks via established security controls.
  • Manages security controls.
  • Follows guidance of key risk indicators (KRIs).

Info-Tech Insight

To create an effective security program, two conditions must be in place: management and governance must be separate functions and there must be three lines of defense.

Lines of defense continue

"The use of the three lines of defence to understand the system of internal control and risk management should not be regarded as an automatic guarantee of success. All three lines need to work effectively with each other and with the audit committee in order to create the right conditions."

– Chartered Institute of Internal Auditors

Second Line of Defense: Risk Management

  • Committee of risk, compliance, and privacy specialists who provide oversight of the first line of defense.
  • Has key role in setting risk tolerance.
  • Responsible for developing high-level risk management policies.
  • Develops KRI and ERM documents.
  • Assesses effectiveness of security controls based on performance of the first line of defense.

Third Line of Defense: Independent Assurance

  • Provided by the internal audit committee who operates independently of the other two lines to avoid conflicts of interest.
  • May also include external audit.
  • Measures the true effectiveness of the security governance framework by challenging the performance of the other two lines (i.e. makes them account for their risk management methods).
  • Reports directly to board of directors to avoid conflicts of interest.

2.3 Support your first line of defense with a Security Governance Center of Excellence

A Center of Excellence (COE) is a department-like entity embedded within an organization to provide specific knowledge about a process or topic an organization is trying to develop in the interest of efficiency and organizational development. Unlike a department though, a COE is usually less centralized and might incorporate people from several different departments or silos.

  • Using a COE allows first-line defenders to consult experts whenever they are not sure how to make risk-related decisions.
  • The COE helps to support security controls by ensuring managers are observing those controls.
  • This reduces the need for second- and third-line defenders to police the first.

Maximize efficiency with a Security Governance Center of Excellence

2.4 Create a governance charter, policies, and organizational structure

A governance framework won’t support itself; you’ll need documents that define roles, responsibilities, procedures, expectations, and the overarching reporting structure your security program follows.

Once you’ve decided on your approach to developing a security governance framework, you’ll need documents to support it to make sure its various aspects can be efficiently communicated to the people who need to follow them (i.e. everyone).

  • Remember: an organization’s policies should be customized to meet their unique needs. But this doesn’t mean you can’t start from a templated example.
  • Review Info-Tech’s material for creating practical and effective information security policies by following the provided link.

Develop and Deploy Security Policies

Use this blueprint to develop policies specific to your organization to help support your governance framework.

Customize Info-Tech’s Information Security Charter Template

2.4 Information Security Charter Template

A charter is an essential document for defining the scope and purpose of a security project or program and is the foundation of any governance initiative.

Use this template to document your organization’s:

  • Security vision, mission, and scope
  • Strategic security and policy objectives
  • Roles and responsibilities for developing the security program
  • Risk tolerance statement
  • Corporate and management commitment
  • Evaluation and renewal requirements

Screenshots of the Information Security Charter Template

Info-Tech Best Practice

Remember, a governance framework is a living organism (i.e. it will evolve over time). Make sure you review your information security charter every 12 months or so to confirm that it is still relevant and meeting your organization’s needs.

Customize Info-Tech’s Organizational Structure Template to define your organization’s chain of command

2.4 Security Governance Organizational Structure Template

Creating an effective governance framework involves understanding your organization’s reporting structure and how the various departments connect and interact with each other.

Because governance must be implemented top-down, it’s important to have a document outlining who answers to whom. Creating this document can also help you identify any conflicts of interest or other issues in your organization’s current structure.

Screenshots of the Security Governance Organizational Structure Template.

This template also includes a RACI chart to help you assign roles and responsibilities for your overall governance initiative.

Info-Tech Best Practice

Ideally, security should be a department independent from IT to prevent a situation in which IT has authority over the security controls they are supposed to adhere to. In smaller organizations this isn’t always possible, but being aware of this potential conflict can go a long way towards improving organizational structure.

If you want additional support, have our analysts walk you through this phase as part of an Info-Tech guided implementation

Book a guided implementation with our Info-Tech analysts:

Guided implementations offer an easy way to accelerate your project. Our analysts will work with you and your team over the phone to facilitate the activities outlined in the blueprint. Getting key stakeholders together to formalize the program while getting started on developing your governance framework allows you to kick-start the overall program. Guided Implementations are included in advisory memberships and offer additional support over a do-it-yourself approach by ensuring continuous improvement of your governance initiative.

Photo of Logan Rohde.

Logan Rohde

Consulting Analyst – Security, Risk & Compliance

Info-Tech Research Group

Call 1-888-670-8889 for more information.

Phase 3

Manage Your Governance Framework

Step 3: Manage Your Governance Framework

This step will walk you through the following activities:

  • Metrics tracking to streamline the initiative.
  • Internally auditing your security controls.
  • Reassessing your governance framework.

This step involves the following participants:

  • Cybersecurity
  • Risk specialists
  • Audit committee

Outcomes of this step

  • Established governance metrics.
  • Identified gap between current and target security program.
  • Gained insight into the effectiveness of your security controls.

Phase 3 outline

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 3: Manage Your Governance Framework

Proposed Time to Completion: 8-12 weeks

Step 3.1: Metrics, Audits, and Why They Matter

Start with an analyst kick-off call:

  • Discuss the value of metrics and insights they provide.
  • Understand who should conduct your internal audits.
  • Appreciate the need to reassess.

Then complete these activities…

  • Track your governance-related metrics.
  • Complete gap analysis.

With these tools & templates:

Security Metrics Assessment Tool

Step 3.3: Governance Development Checkpoint III

Review findings with analyst:

  • Address challenges with metrics and audit.
  • Discuss next steps for the maintenance and improvement of the governance initiative.

Then complete these activities…

  • Fine-tune metrics tracking.
  • Adjust security controls.

Phase 3 Results & Insights:

  • Metrics program.
  • How to improve governance framework for maximum effectiveness and business alignment.

3.1 Track governance-related metrics to streamline your initiative

All organizations change over time, and controls that were appropriate at one time may not be at another. Therefore, it is a good idea to track governance-related metrics to see whether or not your security controls need to be adjusted to meet security or business needs better.

As noted in Phase 1, business-security alignment is an essential part of getting a governance framework up and running.

  • Don't forget that re-alignment should occur at regular intervals as part of maintaining good governance.
  • Especially important during:
    • Major staffing changes on either the business or security end.
    • Business strategy overhaul (e.g. competing for a greater market share).
    • Identification of emerging industry-related threat(s).

Info-Tech Insight

A governance framework outlines an organization's laws of the land, but situations will arise in which these laws will be broken (out of necessity or otherwise). It is important to have the management function make sure the security program is doing what was intended; tracking metrics is an essential part of this effort.

Use Info-Tech’s Security Metrics Assessment Tool to help define your security objectives

3.1 Security Metrics Assessment Tool

  1. Use this tool to assess the gap between your current and target state across a variety of security metrics categories.
  2. Assess the results of the gap analysis and then move on to the metrics worksheet on tab 4, which will help you get your metrics program up and running.
  3. Remember to complete the prioritization exercise on tab 5 so that you set realistic goals for your security program.

A screenshot of the Security Metrics Assessment tool is shown, specifically the gap analysis visual view.

A screenshot of the Security Metrics Assessment tool is shown, specifically the security metrics roadmap.

Info-Tech Best Practice

Info-Tech encourages the use of SMART metrics (Specific, Measurable, Assignable, Realistic, Time-bound). The included metrics meet these criteria; ensure that you follow suit when customizing this tool for your program.

3.2 Internally audit your security program

Internal audit provides your organization’s third line of defense – make sure you use it to give your security program regular check-ups.

  • Trust is important for any organization, but when it comes to security, you’ll also need to ensure that the program is being followed.
  • Perform regular audits to ensure that the governance framework is being observed, is properly understood, and is in overall good health.
  • Audits are a key element of security program management.

Info-Tech Best Practice

It is essential that audits are not performed by the same people being audited. These audits will only be useful if they are conducted objectively. Therefore, they should be the duty of the risk management team (or similar body who is at an arm’s length from the security controls or processes being audited).

3.3 Reassess your governance framework

Follow your metrics. The numbers won't lie – as long as you’re honestly tracking metrics and performing regular audits.

Now that your governance initiative is up and running, it will need be maintained (and, ideally, improved).

  • Using what you learn from your internal audits and metrics tracking, reassess your governance framework every 12 months to see if there are any recurring problems that tweaking the framework may help to correct.

Reassessing your framework’s success may reveal the need for additional end-user training and awareness. Use Info-Tech’s Humanize the Security Awareness and Training Program blueprint to help you meet these needs.

Info-Tech Best Practice

Review your metrics to ensure that your security controls are not too tight or too loose, and verify if they need to be updated to address changes in business operations not accounted for the last time the governance framework was updated.

If you want additional support, have our analysts walk you through this phase as part of an Info-Tech guided implementation

Book a guided implementation with our Info-Tech analysts:

Guided implementations offer an easy way to accelerate your project. Our analysts will work with you and your team over the phone to facilitate the activities outlined in the blueprint. Getting key stakeholders together to formalize the program while getting started on developing your governance framework allows you to kick-start the overall program. Guided Implementations are included in advisory memberships and offer additional support over a do-it-yourself approach by ensuring continuous improvement of your governance initiative.

Photo of Logan Rohde.

Logan Rohde

Consulting Analyst – Security, Risk & Compliance

Info-Tech Research Group

Call 1-888-670-8889 for more information.

Establish baseline metrics

Baseline metrics will improve through:

  1. Decreased security incidents: via regular maintenance and management of the governance framework to ensure suitability of security controls.
  2. Increased insight into policy exceptions and non-compliance: either of these cases implies some part of your governance framework needs to be adjusted.
  3. Regular internal audits: helps to identify potential issues before they become entrenched behaviors that cause additional security problems.

Below are some examples taken from the Security Metrics Assessment Tool included in the blueprint:

Metric Description

Current Metric

Future Goal

Number of information security incidents (by severity):

60

24

Number of policy exceptions during a given period:

36

<12

On-time/satisfactory audit completion rate:

1

4

Annual cost of information security controls:

$70,000

$50,000

Other metric

Other metric

Other metric

Other metric

Other metric

Other metric

Insight breakdown

Business and security goals should be the same.

  • Businesses cannot operate without security, and security’s goal is to enable safe business operations.
  • Therefore, security and business share the same goal: the overall success of the business (otherwise neither will have jobs).
  • These departments rely on each other, so business and security need to align their goals and objectives for mutual success.

Security governance supports security strategy and management.

  • These three elements create a protective arch around business operations, and governance is the keystone.
  • Governance may seem like a small aspect, but it holds the whole program together.
  • It provides a framework that works in the background of the more active elements: management and strategy.

Governance defines the laws, but they need to be policed.

  • Governance sets standards for what actions are permitted, but only management can verify that these standards are being observed.
  • The governance framework will need to be managed, but don’t confuse governance and management activities.
  • Be sure to track metrics, internally audit security controls, and reassess your framework every 12 months to keep your governance initiative in good health.

Summary of accomplishment

Knowledge Gained

  • Importance of business-security alignment via risk tolerance.
  • Understanding that business and security share the same goals.
  • Why governance needs to be separated from management.
  • Implementation of three lines of defense and value of doing so.
  • Advantages of a Security Governance Center of Excellence.
  • Developing information security charter, policies, and organizational structure.
  • Importance of tracking metrics and internal audit to manage governance initiative.

Processes Optimized

  • Definitions of security governance, strategy, and management
  • Executive support for security governance
  • Business-security alignment
  • Assembling steering committee
  • Risk assessment and setting risk tolerance
  • Development, maintenance, and management of governance framework
  • Meeting compliance obligations
  • Formalization of documents
  • Metrics tracking
  • Internal audit

Deliverables Completed

  • Information Security Governance Business Case
  • Information Security Steering Committee Charter
  • Security Risk Register
  • Information Security Compliance Template
  • Information Security Charter
  • Security Governance Organizational Structure Template
  • Security Metrics Assessment Tool

Research contributors and experts

Photo of Scott Trickett

Scott Trickett, Director of IS Infrastructure\Operations

Chesapeake Employers’ Insurance

Photo of Dave Millier

Dave Millier, CEO

Uzado Inc.

Two anonymous contributors

Related Info-Tech research

Humanize the Security Awareness and Training Program

If it’s not human-centric, you’re not training your humans.

Build an Information Security Strategy

Tailor best practices to effectively manage information security.

Bibliography

Cisco. “Cisco 2017 Annual Cybersecurity Report: Chief Security Officers Reveal True Cost of Breaches and the Actions Organizations Are Taking.” Web.

Chartered Institute of Internal Auditors. “Governance of Risk: Three Lines of Defence.” Web.

Educause. “Information Security Governance.” Web.

EY. “Cybersecurity Regained: Preparing to Face Cyber Attacks 2017-18.” Web.

ISACA. “COBIT 5 Framework.” Web.

Thales. “2018 Thales Data Threat Report: Trends in Encryption and Data Security Global Edition.” Web.

NADC. “2017–2018 NACD Public Company Governance Survey.” Web.

NIST. “NIST Framework for Improving Critical Infrastructure Cybersecurity.” Web.

PwC. “Strengthening Digital Society against Cyber Shocks: Key Findings from 'The Global State of Information Security Survey 2018.” Web.

SolarWinds. “Federal Cybersecurity Survey 2017.” Web.

Veltsos, Christophe. “Take a Load Off: Delegate Cyber Risk Management Using the Three Lines of Defense Model” IBM Security Intelligence. Web.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

Member Rating

9.5/10
Overall Impact

$91,699
Average $ Saved

35
Average Days Saved

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Read what our members are saying

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 3-phase advisory process. You'll receive 6 touchpoints with our researchers, all included in your membership.

Guided Implementation #1 - Align business goals with security objectives
  • Call #1 - Understand what security governance means for you.
  • Call #2 - Governance Development Checkpoint I

Guided Implementation #2 - Develop an effective governance framework
  • Call #1 - Develop an effective framework.
  • Call #2 - Governance Development Checkpoint II

Guided Implementation #3 - Manage your governance framework
  • Call #1 - Metrics, audits, and why they matter.
  • Call #2 - Governance Development Checkpoint III

Author

Logan Rohde

Contributors

  • Scott Trickett, Director of IS Infrastructure\Operations Chesapeake Employers’ Insurance
  • Dave Millier, CEO, Uzado Inc.
  • Three anonymous contributors
Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019