Improve Security Governance With a Security Steering Committee
Build an inclusive committee to enable holistic strategic decision making.
- Security is still seen as an IT problem rather than a business risk, resulting in security governance being relegated to the existing IT steering committee.
- Security is also often positioned in the organization where they are not privy to the details of the organization’s overall strategy. Security leaders struggle to get the full enterprise picture.
Our Advice
Critical Insight
- Work to separate the Information Security Steering Committee (ISSC) from the IT Steering Committee (ITSC). Security transcends the boundaries of IT and needs an independent, eclectic approach to make strategic decisions.
- Be the lawyer, not the cop. Ground your communications in business terminology to facilitate a solution that makes sense to the entire organization.
- Develop and stick to the agenda. Continued engagement from business stakeholders requires sticking to a strategic level-focused agenda. Dilution of purpose will lead to dilution in attendance.
Impact and Result
- Define a clear scope of purpose and responsibilities for the ISSC to gain buy-in and consensus for security governance receiving independent agenda time from the broader IT organization.
- Model the information flows necessary to provide the steering committee with the intelligence to make strategic decisions for the enterprise.
- Determine membership and responsibilities that shift with the evolving security landscape to ensure participation reflects interested parties and that money being spent on security mitigates risk across the enterprise.
- Create clear presentation material and strategically oriented meeting agendas to drive continued participation from business stakeholders and executive management.
Improve Security Governance With a Security Steering Committee
Start here – read the Executive Brief
Read our concise Executive Brief to find out how to improve your security governance with a security steering committee, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.
1. Define committee purpose and responsibilities
Identify the purpose of your committee, determine the capabilities of the committee, and define roles and responsibilities.
2. Determine information flows, membership & accountabilities
Determine how information will flow and the process behind that.
3. Operate the Information Security Steering Committee
Define your meeting agendas and the procedures to support those meetings. Hold your kick-off meeting. Identify metrics to measure the committee’s success.
Member Testimonials
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.
9.0/10
Overall Impact
Client
Experience
Impact
$ Saved
Days Saved
Alabama Department of Corrections
Guided Implementation
9/10
N/A
N/A
Clark County, WA
Guided Implementation
8/10
$12,733
10
Pact Group PTY Ltd
Guided Implementation
10/10
N/A
18
Toronto District School Board
Guided Implementation
7/10
N/A
N/A
About Info-Tech
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
What Is a Blueprint?
A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.
Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.
Need Extra Help?
Try Our Guided Implementations
Get the help you need in this 3-phase advisory process. You'll receive 7 touchpoints with our researchers, all included in your membership.
Guided Implementation #1 - Define committee purpose and responsibilities
- Call #1 - Identify the responsibilities and duties of the ISSC.
- Call #2 - Draft the committee purpose of the ISSC.
Guided Implementation #2 - Determine information flows, membership & accountabilities
- Call #1 - Determine SIPOC modeling of information flows.
- Call #2 - Determine accountabilities and responsibilities.
Guided Implementation #3 - Operate the Information Security Steering Committee
- Call #1 - Set operational standards.
- Call #2 - Determine effectiveness metrics.
- Call #3 - Understand steering committee best practices.
