Improve Security Governance With a Security Steering Committee

Build an inclusive committee to enable holistic strategic decision making.

ANALYST PERSPECTIVE

Our understanding of the problem

This Research Is Designed For:

• CIOs
• CISOs
• IT/Security Leaders

This Research Will Help You:

• Develop an effective information security steering committee (ISSC) that ensures the right people are involved in critical decision making.
• Ensure that business and IT strategic direction are incorporated into security decisions.

This Research Will Also Assist:

• Information Security Steering Committee (ISSC) members

This Research Will Help Them:

• Formalize roles and responsibilities.
• Define effective security metrics.
• Develop a communication plan to engage executive management in the organization’s security planning.

Executive summary

Situation

• Successful information security governance requires a venue to address security concerns with participation from across the entire business.
• Without access to requisite details of the organization – where we are going, what we are trying to do, how the business expects to use its technology – security can not govern its strategic direction.

Complication

• Security is still seen as an IT problem rather than a business risk, resulting in security governance being relegated to the existing IT steering committee.
• Security is also often positioned in the organization where they are not privy to the details of the organization’s overall strategy. Security leaders struggle to get the full enterprise picture.

Resolution

• Define a clear scope of purpose and responsibilities for the Information Security Steering Committee to gain buy-in and consensus for security governance receiving independent agenda time from the broader IT organization.
• Model the information flows necessary to provide the steering committee with the intelligence to make strategic decisions for the enterprise.
• Determine membership and responsibilities that shift with the evolving security landscape to ensure participation reflects interested parties and that money being spent on security mitigates risk across the enterprise.
• Create security metrics that are aligned with committee members’ operational goals to incentivize participation.
• Create clear presentation material and strategically oriented meeting agendas to drive continued participation from business stakeholders and executive management.

Info-Tech Insight

1. Work to separate the ISSC from the IT Steering Committee (ITSC). Security transcends the boundaries of IT and needs an independent, eclectic approach to make strategic decisions.
2. Be the lawyer, not the cop. Ground your communications in business terminology to facilitate a solution that make sense to the entire organization.
3. Develop and stick to the agenda. Continued engagement from business stakeholders requires sticking to a strategic level-focused agenda. Dilution of purpose will lead to dilution in attendance.

Empower your security team to act strategically with an ISSC

Establishing an Information Security Steering Committee (ISSC)

Even though security is a vital consideration of any IT governance program, information security has increasingly become an important component of the business, moving beyond the boundaries of just the IT department.

This requires security to have its own form of steering, beyond the existing IT Steering Committee, that ensures continual alignment of the organization’s security strategy with both IT and business strategy.

An ISSC should have three primary objectives:

• Direct Strategic Planning The ISSC formalizes organizational commitments to strategic planning, bringing visibility to key issues and facilitating the integration of security controls that align with IT and business strategy.
• Institute Clear Accountability The ISSC facilitates the involvement and commitment of executive management through clearly defined roles and accountabilities for security decisions, ensuring consistency in participation as the organization’s strategies evolve.
• Optimize Security Resourcing The ISSC maximizes security by monitoring the implementation of the security strategic plan, making recommendations on prioritization of effort, and securing necessary resources through the planning and budgeting processes, as necessary.

What does the typical ISSC do?

Ensuring proper governance over your security program is a complex task that requires ongoing care and feeding from executive management to succeed.

Your ISSC should aim to provide the following core governance functions for your security program:

1. Define Clarity of Intent and Direction How does the organization’s security strategy support the attainment of the business and IT strategies? The ISSC should clearly define and communicate strategic linkage and provide direction for aligning security initiatives with desired outcomes.
2. Establish Clear Lines of Authority Security programs contain many important elements that need to be coordinated. There needs to be clear and unambiguous authority, accountability, and responsibility defined for each element so lines of reporting/escalation are clear and conflicting objectives can be mediated.
3. Provide Unbiased Oversight The ISSC should vet the organization’s systematic monitoring processes to make certain there is adherence to defined risk tolerance levels and ensure that monitoring is appropriately independent from the personnel responsible for implementing and managing the security program.
4. Optimize Security Value Delivery Optimized value delivery occurs when strategic objectives for security are achieved and the organization’s acceptable risk posture is attained at the lowest possible cost. This requires constant attention to ensure controls are commensurate with any changes in risk level or appetite.

Formalize the most important governance functions for your organization

Creation of an ISSC is deemed the most important governance and oversight practice that a CISO can implement, based on polling of IT security leaders analyzing the evolving role of the CISO.

Relatedly, other key governance practices reported – status updates, upstream communications, and executive-level sponsorship – are within the scope of what organizations traditionally formalize when establishing their ISSC.

Despite the clear benefits of an ISSC, organizations are still falling short

83% of organizations have not established formal steering committees to evaluate the business impact and risks associated with security decisions. (Source: 2017 State of Cybersecurity Metrics Report)

70% of organizations have delegated cybersecurity oversight to other existing committees, providing security limited agenda time. (Source: PwC 2017 Annual Corporate Director Survey)

"This is a group of risk managers an institution would bring together to deal with a response anyway. Having them in place to do preventive discussions and formulate policy to mitigate the liability sets and understand compliance obligations is just powerful." (Kirk Bailey, CISO, University of Washington)

Prevent the missteps that make 9 out of 10 steering committees unsuccessful

Why Do Steering Committees Fail?

1. A lack of appetite for a steering committee from business partners. An effective ISSC requires participation from core members of the organization’s leadership team. The challenge is that most business partners don’t understand the benefits of an ISSC and the responsibilities aren’t tailored to participants’ needs or interests. It’s the CISO’s (or senior IT/security leader’s) responsibility to make this case to stakeholders and right-size the committee responsibilities and membership.
2. ISSC committees are given inappropriate responsibilities. The steering committee is fundamentally about decision making; it’s not a working committee. Security leadership typically struggles with clarifying these responsibilities on two fronts: either the responsibilities are too vague and there is no clear way to execute on them within a meeting or responsibilities are too tactical and require knowledge that participants do not have. Responsibilities should determine who is on the ISSC, not the other way around.
3. Lack of process around execution. An ISSC is only valuable if members are able to successfully execute on its mandate. Without well-defined processes it becomes nearly impossible for the ISSC to be actionable. As a result, participants lack the information they need to make critical decisions, agendas are unmet, and meetings are seen as a waste of time.

Use these icons to help direct you as you navigate this research

Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Improve Security Governance With a Security Steering Committee – project overview

	1. Define Committee Purpose and Responsibilities	2. Determine Information Flows, Membership & Accountabilities	3. Operate the Information Security Steering Committee
Best-Practice Toolkit	1.1 Tailor Info-Tech’s Information Security Steering Committee Charter Template to define terms of reference for the ISSC 1.2 Conduct a SWOT analysis of your information security governance capabilities 1.3 Identify the responsibilities and duties of the ISSC 1.4 Draft the committee purpose statement of your ISSC	2.1 Define your SIPOC model for each of the ISSC responsibilities 2.2 Identify committee participants and responsibility cadence 2.3 Define ISSC participant RACI for each of the responsibilities	3.1 Define the ISSC meeting agendas and procedures 3.2 Define which metrics you will report to the ISSC 3.3 Hold a kick-off meeting with your ISSC members to explain the process, responsibilities, and goals 3.4 Tailor the Information Security Steering Committee Stakeholder Presentation template 3.5 Present the information to the security leadership team 3.6 Schedule your first meeting of the ISSC
Guided Implementations	Identify the responsibilities and duties of the ISSC. Draft the committee purpose of the ISSC.	Determine SIPOC modeling of information flows. Determine accountabilities and responsibilities.	Set operational standards. Determine effectiveness metrics. Steering committee best practices.
Onsite Workshop	This blueprint can be combined with other content for onsite engagements, but is not a standalone workshop.
	Phase 1 Outcome: Determine the purpose and responsibilities of your information security steering committee.	Phase 2 Outcome: Determine membership, accountabilities, and information flows to enable operational excellence.	Phase 3 Outcome: Define agendas and standard procedures to operate your committee. Design an impactful stakeholder presentation.

Improve Security Governance With a Security Steering Committee

PHASE 1

Define Committee Purpose and Responsibilities

Phase 1: Define Committee Purpose and Responsibilities

ACTIVITIES:

• 1.1 Tailor Info-Tech’s Information Security Steering Committee Charter Template to define terms of reference for the ISSC
• 1.2 Conduct a SWOT analysis of your information security governance capabilities
• 1.3 Identify the responsibilities and duties of the ISSC
• 1.4 Draft the committee purpose statement for your ISSC

OUTCOMES:

• Conduct an analysis of your current information security governance capabilities and identify opportunities and weaknesses.
• Define a clear scope of purpose and responsibilities for your ISSC.
• Begin to customize your ISSC charter.

Info-Tech Insight

Balance vision with direction. Purpose and responsibilities should be defined so that they encompass your mission and objectives to the enterprise in clear terms, but provide enough detail that you can translate the charter into operational plans for the security team.

Tailor Info-Tech’s Information Security Steering Committee Charter Template to define terms of reference for the ISSC

A charter is the organizational mandate that outlines the purpose, scope, and authority of the ISSC. Without a charter, the steering committee’s value, scope, and success criteria are unclear to participants, resulting in unrealistic stakeholder expectations and poor organizational acceptance.

Start by reviewing Info-Tech’s template. Throughout the next two sections we will help you to tailor its contents.

• Committee Purpose: The rationale, benefits of, and overall function of the committee.
• Organization and Membership: Who is on the committee and how is participation measured against organizational need.
• Responsibilities and Duties: What tasks/decisions the accountable committee is making.
• RACI: Who is accountable, responsible, consulted, and informed regarding each responsibility.
• Committee Procedures and Agendas: Includes how the committee will be organized and how the committee will interact and communicate with interested parties.

Download the Information Security Steering Committee Charter to customize your organization’s charter

Conduct a SWOT analysis of your information security governance capabilities

INPUT: Survey outcomes, Governance overview handouts

OUTPUT: SWOT analysis, Top identified challenges and opportunities

1. Hold a meeting with your IT leadership team to conduct a SWOT analysis on your current information security governance capabilities.
2. In small groups, or individually, have each group complete a SWOT analysis for one of the governance areas. For each consider:
   • Strengths: What is currently working well in this area?
   • Weaknesses: What could you improve? What are some of the challenges you’re experiencing?
   • Opportunities: What are some organizational trends that you can leverage? Consider whether your strengths or weaknesses could create opportunities.
   • Threats: What are some key obstacles across people, process, and technology?
3. Have each team or individual rotate until each person has contributed to each SWOT. Add comments from the stakeholder survey to the SWOT.
4. As a group, rank the inputs from each group and highlight the top five challenges and the top five opportunities you see for improvement.

Identify the responsibilities and duties of the ISSC

INPUT: SWOT analysis, Survey reports

OUTPUT: Defined ISSC responsibilities

1. With your security leadership team, review the typical responsibilities of the ISSC on the following slides (also included in the templated text of the charter linked below).
2. Print off the following two slides, and in small teams or individually, identify which responsibilities the ISSC should have in your organization, brainstorm any additional responsibilities, and document reasoning.
3. Have each team present to the larger group, track the similarities and differences between each of the groups, and come to consensus on the list of categories and responsibilities.
4. Complete a sanity check: review your SWOT analysis. Do the responsibilities you’ve identified resolve the critical challenges or weaknesses?
5. As a group, consider the responsibilities and whether you can reasonably implement those in one year or if there are any that will need to wait until year two of the committee.

Add or modify responsibilities in Info-Tech’s Information Security Steering Committee Charter.

Typical ISSC responsibilities and duties

Use the following list of responsibilities to customize the list of responsibilities your ISSC may take on. These should link directly to the Responsibilities and Duties section of your ISSC charter.

Strategic Oversight

• Provide oversight and ensure alignment between information security strategy and company objectives.
• Assess the adequacy of resources and funding to sustain and advance successful security programs and practices for identifying, assessing, and mitigating cybersecurity risks across all business functions.
• Review controls to prevent, detect, and respond to cyber-attacks or information or data breaches involving company electronic information, intellectual property, data, or connected devices.
• Review the company’s cyberinsurance policies to ensure appropriate coverage.
• Provide recommendations, based on security best practices, for significant technology investments.

Policy Governance

• Review company policies pertaining to information security and cyberthreats, taking into account the potential for external threats, internal threats, and threats arising from transactions with trusted third parties and vendors.
• Review privacy and information security policies and standards and the ramifications of updates to policies and standards.
• Establish standards and procedures for escalating significant security incidents to the ISSC, board, other steering committees, government agencies, and law enforcement, as appropriate.

Typical ISSC responsibilities and duties (continued)

Use the following list of responsibilities to customize the list of responsibilities your ISSC may take on. These should link directly to the Responsibilities and Duties section of your ISSC charter.

Risk Governance

• Review and approve the company’s information risk governance structure and key risk management processes and capabilities.
• Assess the company’s high-risk information assets and coordinate planning to address information privacy and security needs.
• Provide input to executive management regarding the enterprise’s information risk appetite and tolerance.
• Review the company’s cyber-response preparedness, incident response plans, and disaster recovery capabilities as applicable to the organization’s information security strategy.
• Promote an open discussion regarding information risk and integrate information risk management into the enterprise’s objectives.

Monitoring & Reporting

• Receive periodic reports and coordinate with management on the metrics used to measure, monitor, and manage cyber and IT risks posed to the company and to review periodic reports on selected risk topics as the Committee deems appropriate.
• Review reports provided by the IT organization regarding the status of and plans for the security of the company’s data stored on internal resources and with third-party providers.
• Monitor and evaluate the quality and effectiveness of the company’s technology security, capabilities for disaster recovery, data protection, cyberthreat detection and cyber incident response, and management of technology-related compliance risks.

Review the organization’s security strategy to solidify understanding of the ISSC’s purpose

The ISSC should consistently evolve to reflect the strategic purpose of the security program. If you completed Info-Tech’s Security Strategy methodology, review the results to inform the scope of your committee. If you have not completed Info-Tech’s methodology, determining these details should be achieved through iterative stakeholder consultations.

Draft the committee purpose statement of your ISSC

INPUT: SWOT Analysis, Security Strategy

OUTPUT: ISSC Committee Purpose

1. In a meeting with your IT leadership team – and considering the organization’s security strategy, defined responsibilities, and opportunities and threats identified – review the example goal statement in the Information Security Steering Committee Charter, and identify whether any of these statements apply to your organization. Select the statements that apply and collaboratively make any changes needed.
2. Define unique goal statements by considering the following questions:
   • What three things would you realistically list for the ISSC to achieve?
   • If you were to accomplish three things in the next year, what would those be?
3. With those goal statements in mind, consider the overall purpose of the committee. The purpose statement should be a reflection of what the committee does, why, and the goals.
4. Have each individual review the example purpose statement and draft what they think a good purpose statement would be.
5. Present each statement, and work together to determine a best-of-breed statement.

Alter the Committee Purpose section in the Information Security Steering Committee Charter.

Improve Security Governance With a Security Steering Committee

PHASE 2

Determine Information Flows, Membership & Accountabilities

Phase 2: Determine Information Flows, Membership & Accountabilities

ACTIVITIES:

• 2.1 Define your SIPOC model for each of the ISSC responsibilities
• 2.2 Identify committee participants and responsibility cadence
• 2.3 Define ISSC participant RACI for each of the responsibilities

OUTCOMES:

• Define information flows to ensure that the steering committee has requisite information to provide to decision makers or make strategic decisions with.
• Determine steering committee membership and responsibility cadence.
• Determine accountabilities for each of the ISSC’s responsibilities.

Info-Tech Insight

Without a documented process your committee can’t execute on its responsibilities. Clearly define the flow of information to make your committee actionable and gain the trust of your committee members.

Build your high-level ISSC processes to enable committee functionality

A successful steering committee requires clarity over areas of responsibility. Stratifying processes based on domains clarifies the definition of roles and accountabilities and helps partition security activities based on organizational areas so that action can be taken to satisfy governance requirements. Understanding your information flows is important.

• One of the most common mistakes organizations make is that they build their committee charters and launch into their first meeting.
  • Without defined inputs and outputs, a committee does not have the needed information to effectively execute on responsibilities and is unable to meet its stated goals.
• Building high-level processes will define how that information flows within and between committees and will enable more rapid decision making. Participants will have the information they need to be confident in their decisions.

The degree of independence of your ISSC from your ITSC depends on organizational maturity

Security folks are typically positioned in an organization where they are not privy to the necessary details of organizational strategy to be successful. It is their job to figure out by what means they can best leverage political capital inside the organization to get the requisite information.

Depending on the maturity of the security function (and the reporting relationships of the CISO relative to the CIO), this may be achieved by different means.

IN ORGANIZATIONS WITH SECURITY AS A FACET OF INFRASTRUCTURE…

• In most organizations, the security function grows organically out of the infrastructure group, capitalizing on overlaps in skillset.
• In these cases, the security organization should start with the ISSC as a subcommittee of the existing IT steering committee (ITSC), capitalizing on agenda time with the necessary stakeholders to build its credibility and grow the maturity of the security function.
• Because the ITSC will already have face time with the people needed to get the full picture, it should be leveraged to your advantage.

IN ORGANIZATIONS WITH AN INDEPENDENT SECURITY FUNCTION…

• As security becomes its own facet of the organization, particularly with its own compliance and regulation functions, the security organization is positioned to independently deal with issues that have broad business implications.
• In these cases, the security organization should look to establish an ISSC separate from the existing ITSC structure and include IT leadership as part of its membership.
• Shared membership at this stage of maturity will dilute the platform and risk bargaining and negotiating to meet diverging interests rather than equal representation.

Define the high-level process for each of the ISSC responsibilities

Info-Tech recommends using Supplier, Input, Process, Output, Customer (SIPOC) as a way to define how the ISSC will operate.

• Supplier: Who provides the inputs to the governance responsibility.
• Input: The documented information, data, or policy required to effectively respond to the responsibility.
• Process: In this case, this represents the ISSC responsibility defined in terms of the activity the ISSC is performing.
• Output: The outcome of the meeting: can be approval, rejection, recommendation, request for additional information, endorsement, etc.
• Customer: Receiver of the outputs from the committee responsibility.

SIPOC process flows are especially effective when determining process scope and boundaries and to gain consensus on a process. Use this process to inform how information flows in your organization.

By doing so you’ll ensure that:

1. The information and documentation required to complete each responsibility is identified.
2. The results of committee meetings are distributed to those customers who need the information.
3. Inputs and outputs are identified and there is defined accountability for providing relevant information throughout the process

Info-Tech Insight

The ISSC is not a working committee. Enable effective decision making by ensuring participants have the necessary information and appropriate recommendations from key stakeholders prior to convening meetings so decisions can be made in the room.

Define your SIPOC model for each of the ISSC responsibilities

INPUT: List of responsibilities in security charter

OUTPUT: SIPOC process flow for all responsibilities

1. In a meeting with your IT leadership, draw the SIPOC model on a whiteboard or flip chart paper. Either review the examples on the following slides or start from scratch.
2. If you are adjusting the following slides, consider the templates you already have that would be appropriate inputs and make adjustments as needed.

For atypical responsibilities:

1. Start with the governance responsibility and identify what specifically it is that the steering committee is doing with regards to that responsibility. Write that in the center of the model.
2. As a group, consider what information or documentation would be required by the participants to effectively execute on the responsibility.
3. Identify which individual will supply each piece of documentation. This person will be accountable for this moving forward.
4. Outputs: Once the committee has met about the responsibility, what information or documentation will be produced? List all of those documents.
5. Identify the individuals who need to receive the outputs of the information.
6. Repeat this for all of the responsibilities.

Document under Procedures and Agendas in the Information Security Steering Committee Charter.

Determine committee membership based on the defined ISSC responsibilities

For your steering committee to be effective in its role, it must be representative and inclusive of the organization’s diverse interests. It must involve key leadership from across the organization. Security considerations may be an essential part of IT, but governing its effectiveness must extend beyond the IT realm.

• It is also important not to overextend committee membership. It is common that more people get involved than is required and all the committee ends up accomplishing is a lot of theorizing and being paralyzed by serving the lowest common denominator.
• Participants should be selected based on the identified responsibilities of the security steering committee, and the number of people should be appropriate to the size and complexity of the organization.

LIKELY PERMANENT PARTICIPANTS:

• Chief Information Officer
• Chief Security Officer
• Chief Risk Officer
• Director of Internal Audits
• Senior Executive Business Managers
• Human Resources Lead
• Legal Lead

SUPPLEMENTAL CONSIDERATIONS:

• C-Suite Executives: For issues that require capital planning or any strategic forecasting that touches product lines.
• COO: Particularly for issues related to OT or areas of IT/OT convergence.
• Privacy Lead: For any strategic decisions that require privacy impact assessment.

Info-Tech Insight

Membership must remain fluid to reflect the organization’s shifting responsibilities. The security landscape is ever evolving. Leaders will become disengaged in the process and feel like it doesn’t applies to them or accomplishes the desired goals. Once participants begin dissenting, it’s significantly more difficult to get results.

Identify committee participants and responsibility cadence

INPUT: List of responsibilities

OUTPUT: ITSC participants list, Meeting schedule

1. In a meeting with your IT leadership team, review the list of committee responsibilities and document them on a whiteboard.
2. For each responsibility, identify the individuals whom you would want to be either responsible or accountable for that decision. Reflect on SIPOC process flows to see who key stakeholders are in the process of fulfilling each responsibility.
3. Repeat this until you’ve completed the exercise for each responsibility.
4. Group the responsibilities with the same participants and highlight groupings with less than four participants. Consider the responsibility and determine whether you need to change the wording to make it more applicable or if you should remove the responsibility.
5. Review the grouping, the responsibilities within them, and their participants, and assess how frequently you would like to meet about them – annually, quarterly, or monthly.
6. Subdivide the responsibilities for the groupings to determine your annual, quarterly, and monthly meeting schedule.
7. Validate that one steering committee is all that is needed, or divide the responsibilities into necessary sub-committees.

Document participants and cadence in the Information Security Steering Committee Charter.

Committees can only be effective if they have clear and documented authority

It is not enough to participate in committee meetings; there needs to be a clear understanding of who is involved, and to what degree, in matters brought to the attention of the committee.

Each committee responsibility should have one person who is accountable and at least one person who is responsible. This is the best way to ensure that committee work gets done.

An authority matrix is often used within organizations to indicate roles and responsibilities in relation to processes and activities. Using the RACI model as an example, there is only one person accountable for an activity, although several people may be responsible for executing parts of the activity. In this model, accountable means end-to-end accountability for the process.

RESPONSIBLE: The one responsible for getting the job done.

ACCOUNTABLE: Only one person can be accountable for each task.

CONSULTED: Involvement through input of knowledge and information.

INFORMED: Receiving information about process execution and quality.

Define ISSC participant RACI for each of the responsibilities

INPUT: Responsibilities, Participants

OUTPUT: RACI chart documented in the ISSC Charter

1. Use the table provided in the Information Security Steering Committee Charter and edit the list of responsibilities to reflect the chosen responsibilities of your ISSC.
2. Along the top of the chart list the participant names, and in the right-most column of the table document the agreed upon timing from the previous exercise.
3. For each of the responsibilities, identify whether participants are Responsible, Accountable, Consulted, or Informed by denoting an R, A, C, I, or N/A in the table. Use N/A if this is a responsibility that the participant has no involvement in.
4. Review your finalized RACI chart. If there are participants who are only consulted or informed about the majority of responsibilities, consider removing them from the ISSC. You only want the decision makers on the committee.

Alter the Committee RACI chart in the Information Security Steering Committee Charter.

A higher education organization institutionalized its security governance structure with a steering committee

CASE STUDY

Industry: Higher Education

Source: Institutionalization of Information Security Governance Structures in Academic Institutions: A Case Study (Florida State University)

Problem

• A higher education institution looked to build a security group that could effectively maintain the balance between access to and restriction of information to meet the needs of its academic community.
• Past efforts had been hindered by a lack of representative governance, limiting the decisions that could be made and the policies that could be formed.
• “The major reason that we decided that governance was important was that nothing was being done in some areas across the whole campus.”

Solution

• The organization decided to develop a governance structure (steering committee) with clear authorities and accountabilities seen as vital to future success.
• Took a team approach, realizing that the committee must not only build consensus, but also determine strategic direction for the institution as well.
• The security steering committee was composed of representatives from across the administrative structure – legal counsel, office of the registrar, office of financial affairs, and other major players who policy could indirectly or directly impact.

Results

• Steering committee was able to vet proposed policies based on established accountabilities and responsibilities, ensuring consensus and strategic alignment before reaching the board for approval.
• Security leadership acted as an orchestrator of strategic initiatives, involving the requisite stakeholders where necessary to achieve strategic outcomes.
• Massive reduction in political/ organizational barriers achieved from active collaboration and building executive trust in the value of what the security organization could accomplish.

Improve Security Governance With a Security Steering Committee

PHASE 3

Operate the Information Security Steering Committee

Phase 3: Operate the Information Security Steering Committee

ACTIVITIES:

• 3.1 Define the ISSC meeting agendas and procedures
• 3.2 Define which metrics you will report to the ISSC
• 3.3 Hold a kick-off meeting with your ISSC members to explain the process, responsibilities, and goals
• 3.4 Tailor the Information Security Steering Committee Stakeholder Presentation template
• 3.5 Present the information to the security leadership team
• 3.6 Schedule your first meeting of the ISSC

OUTCOMES:

• Standardize the ISSC agenda and operational procedures.
• Determine metrics for the ISSC audience.
• Build presentation materials for your first meeting.
• Make the right first impression by practicing running through your materials with the security leadership team.

Info-Tech Insight

Consistent stakeholder engagement is critical to ISSC success. Do not let the committee devolve into a status meeting – be clear about why engagement is critical and how it will help members achieve their respective objectives in a secure way.

Building the agenda may seem trivial, but it is key for running effective meetings

49% of people consider unfocused meetings the biggest workplace time waster. (Source: “Fail to Plan, Plan to Fail.”)

63% of the time meetings do not have prepared agendas. (Source: “Fail to Plan, Plan to Fail.”)

80% reduction of time spent in meetings by following a detailed agenda and starting on time. (Source: “Fail to Plan, Plan to Fail.”)

EFFECTIVE MEETING AGENDAS:

1. Have clearly defined meeting objectives.
2. Effectively time-boxed based on priority items.
3. Are defined at least two weeks prior to the meetings.
4. Are evaluated regularly and are not static.
5. Leave time at the end for new business, thus minimizing interruptions.

BUILDING A CONSENT AGENDA

A consent agenda is a tool to effectively manage time at meetings by combining previously discussed or simple items into a single item. Items added to the consent agenda should be routine, noncontroversial, or provided for information’s sake only. It is expected that participants read this information and, if it is not pulled out, that they are in agreement with the details.

Committee members have the option to pull items out of the consent agenda for discussion if they have questions. Otherwise they are given no time on the agenda.

Define the ISSC meeting agendas and procedures

INPUT: Responsibility cadence

OUTPUT: ITSC annual, quarterly, monthly meeting agendas & procedures

Materials: ITSC Charter

Participants: IT leadership team

1. Review the listed responsibilities, participants, and timing as identified in a previous exercise.
2. Annual meeting: Identify if all of the responsibilities will be included in the annual meeting agenda (likely all governance responsibilities).
3. Quarterly Meeting Agenda: Remove the meeting responsibilities from the annual meeting agenda that are not required and create a list of responsibilities for the quarterly meetings.
4. Monthly Meeting Agenda: Remove all responsibilities from the list that are only annual or quarterly, and compile a list of monthly meeting responsibilities.
5. Review each responsibility, and estimate the amount of time each task will take within the meeting. We recommend giving yourself at least an extra 10-20% more time for each agenda item for your first meeting. It’s better to have more time than to run out.

Alter the agendas under Committee Procedures and Agenda section in the Information Security Steering Committee Charter.

Measure the outcomes that matter to your audience

Metrics gathered prior to convening the ISSC need to be designed to facilitate a risk-based conversation in terms that align with the interests and objectives of the attendees. Metrics should be byproducts of business processes and link the security strategy to overall organizational needs and objectives.

Consider the following:

• Use clear metrics that cannot easily be misinterpreted by the business.
• Align measurements with what users need and expect from their technology.
• Risk reduction needs to be quantified and demonstrable.
• Translate issues from the technical space in to the business space through risk-based language.

Questions to ask

1. What measurements will resonate with the intended reporting audience?
2. Are my metrics objective?
3. Is measurement reflective of a specific business requirement?

Know your audience

How do you communicate in language the business can understand? Measurements provide insight to a specific audience about specific information. Connect with your audience by quantifying risk reduction with information relevant to their business objectives.

• S pecific
• M easurable
• A chievable
• R ealistic
• T ime-bound

Define which metrics you will report to the ISSC

INPUT: List of responsibilities, SIPOCs

OUTPUT: Metrics to report on Steering Committee outcomes

1. Consider your ISSC purpose and responsibilities.
2. For each area, identify which metrics you are currently tracking and determine whether these metrics are valuable to technical-minded roles, to the business, or both. For metrics that are valuable to business stakeholders, determine if you have an identified target metric.

New Metrics:

1. Review your SWOT analysis for measurements that can help track changes around key opportunities or weaknesses.
2. Review the example metrics on the following slide and determine potential alignment with your purpose and responsibilities sections of the charter.
3. Finalize a list of metrics to track that cover the major areas of your charter responsibilities. One to two for each responsibility is ideal.

Leverage Info-Tech’s Security Metrics Summary Document.

Example metrics

Hold a kick-off meeting with your ISSC members to explain the process, responsibilities, and goals

Don’t take on too much in your first ISSC meeting. Many participants may not have participated in an ISSC before, or some may have had poor experiences in the past.

• Use this meeting to explain the role of the ISSC and why you are implementing one, and help participants to understand their role in the process.
• Quickly customize Info-Tech’s Information Security Steering Committee Stakeholder Presentation template to explain the goals and benefits of the ISSC, and use your own data to make the case for expanded organizational responsibility in security governance.
• At the end of the meeting, ask committee members to sign the committee charter to signify their agreement to participate in the ISSC.

Download the Information Security Steering Committee Stakeholder Presentation to organize your kick-off meeting

Consider presentation logistics before meeting with key stakeholders

Optimize timing of your presentation

• Less is more: Long presentations are detrimental to your cause – they lead to your main points being diluted. Keep your presentation short and concise.
• Keep information relevant: Only present information that is important to your audience. This includes the information that they are expecting to see and information that connects to their department.
• Expect delays: Your audience will likely have questions. While it is important to answer each question fully, it will take away from the precious amount of time given to you for your presentation. Expect that you will not get through all of the information you have to present.

Script your presentation

• Use a script to stay on track: Script your presentation before the meeting. A script will help you present your information in a concise and structured manner.
• Develop a second script: Create a script that is about half the length of the first script but still contains the most important points. This will help you prepare for any delays that may arise during the presentation.
• Prepare for questions: Consider questions that may be asked and script clear and concise answers to each.
• Practice, practice, practice: Practice your presentation until you no longer need the script in front of you.

Other considerations

• After the introduction of your presentation, clearly state the objective – don’t keep people guessing and consequently lose focus on your message.
• Have a responsible non-voting party document important information that came up in the form of minutes.
• Rather than create a long presentation deck full of detailed slides that you plan to skip over during the presentation, create a second, compact deck that contains only the slides you plan to present. Send out the longer deck after the presentation.

Top 10 tips for presentation success

Presenting to a leadership team, board of directors, or a governing council can be a stressful and intimidating experience. Often your opportunities to get in front of this group are infrequent and your window to present is small. These ten tips can help make the difference between success and an opportunity missed.

1. Start strong. Starting strong means giving your audience confidence that this will be a good investment of their time. Establish a clear direction for what’s going to be covered and what the desired outcome is.
2. Respect your audience’s time. Odds are, your audience is busy and they have many other things on their minds. Respect your meeting agenda allocations and be prepared to cover your content in the time allotted and leave sufficient time for discussion and questions.
3. Be flexible while presenting. Do not expect that your presentation will follow the path you have laid out. Anticipate jumping around and spending more or less time than you had planned on a given slide.
4. Be ready with supporting data. Don’t make the mistake of not knowing your content intimately. Be prepared to answer questions on any part of it. Senior executives are experts at finding holes in your data – make sure its relevant, interpretable, and reinforces your points.
5. Know your audience. Who are you presenting to? What are their specific expectations and hot buttons? Are there sensitive topics to be avoided? You can’t be too prepared when it comes to understanding your audience.
6. Keep it simple. Don’t assume that your audience wants to learn the details of your content. Most just want to understand the bottom line, the impact on them, and how they can help. More is not better.
7. Focus on solving issues. Your audience members have many of their own problems and issues to worry about. Show how you can help them and make their lives easier and you’ll win them over.
8. Be prepared. Being properly prepared means not only that your update will deliver the value that you expect, but also that you will have confidence and the flexibility you require when you’re taken off track.
9. Don’t sugar-coat it. These are smart, driven people that you are presenting to. It is neither beneficial nor wise to try to fool them. Be open and transparent about problems and issues. Ask for help.
10. No surprises. An executive presentation is not the time or place for a surprise. Issues seen as unexpected or contentious should always be dealt with prior to the meeting with those most impacted.
(Sources: Petty and PowerPoint Ninja)

Tailor the Information Security Steering Committee Stakeholder Presentation template

INPUT: Exercises completed previously

OUTPUT: Ready-to-present presentation for defined stakeholders

Review the Information Security Committee Stakeholder Presentation template. This document should be presented at the first ISSC committee meeting by the assigned Committee Chair.

Customization Options

• Slide 2-3: Review the text on each of the slides and see if any wording should be changed to better suit your organization.
• Slide 4: Review the results from your SWOT and front-end analysis. Document those in the appropriate sections. (Note: be careful that the language is business-facing; challenges and opportunities should be professionally worded.)
• Slide 5-6: Import your responsibilities and duties for review with your membership.
• Slide 7: The goal of this slide is to document and share the names of the participants on the ISSC. Document the names on the right side, based on your Charter.
• Slides 8-10:
  • Review the agenda items as listed in your ISSC Charter. Document the annual, quarterly, and monthly meeting responsibilities on the left side.
  • Meeting Participants: For each slide, list the members who are required for that meeting.
  • Document the key required reading materials as identified in the SIPOC charts under “inputs.”
  • Document the key meeting outcomes as identified in the SIPOC chart under “outputs.”

Present the information to the security leadership team to increase your comfort with the material

INPUT: Information Security Steering Committee Stakeholder Presentation – Meeting 1

Participants: Security leadership team

1. Once you have finished customizing the Information Security Steering Committee Stakeholder Presentation, practice presenting the material by meeting with your security leadership team. This will help develop a comfort level with your talking points, ensure that you get a final review of the content that will be reviewed by your key stakeholders, and anticipate any questions that might arise.
2. The ISSC chair will present the meeting deck, and all parties should discuss what they think went well and opportunities for improvement.

Schedule your first meeting of the ISSC

3.6

By this point, you should have customized the meeting presentation deck and be ready to meet with your ISSC participants.

The meeting should be one hour in duration and completed in person.

Before holding the meeting, identify who you think is going to be most supportive and who will be least. Those who are unsupportive or show negative intent typically feel their needs are not met or do not wish to be there.

Proactively addressing concerns independently, or re-assessing their need for representation in the ISSC altogether, will be required to ensure that the impacts of negative sentiments are minimized and that committee hits the ground running.

• Use this meeting to explain the role of the ISSC and why you are implementing one, and help participants to understand their role in the process.
• Quickly customize Info-Tech’s Information Security Steering Committee Stakeholder Presentation template to explain the goals and benefits of the ISSC, and use your own data to make the case for expanded organizational responsibility in security governance.
• At the end of the meeting, ask committee members to sign the committee charter to signify their agreement to participate in the ISSC.

Customize this calendar invite script to invite business partners to participate in the meeting.

Hello [Name],

As you may have heard, we recently went through an exercise to develop an information security steering committee. I’d like to take some time to discuss the results of this work with you and ways in which we can work together in the future to better enable corporate goals.

The goals of the meeting are:

1. Discuss the benefits of an information security steering committee
2. Review current opportunities and weaknesses
3. Introduce you to our new information security steering committee

I look forward to starting this discussion with you and working with you more closely in the future.

Warm regards,

A small bank operationalized an ISSC to enhance its communication channels with executive leadership

CASE STUDY

Industry: Banking

Source: SANS Institute – Investing in Information Security Case Study

Problem

• Leadership saw a unique opportunity to integrate technical expertise into the bank’s risk assessment and decision-making processes.
• However, there was a realization that failing to establish and maintain a communication strategy for executive leadership would result in failure to obtain approval for projects needed to manage risk and improve information security.

Solution

• Security leadership used its beginning communications to raise awareness of risks posed by the current technology environment in risk-based, business-facing terminology.
• Leadership relied on the use of analogy to draw comparisons that would resonate with executive management (e.g. comparing the mainframe where data is stored to the physical vault where money is stored).

Results

• Security team members were seen as business risk managers rather than technology experts by finding a way to communicate to the executive team and board of directors in a way that could be easily understood.
• Ultimately, information security professionals were incorporated in the decision-making process at the board level due to the established trust and resonance of the tailored communications of the steering committee.

Summary of accomplishment

Knowledge Gained

• Typical roles, responsibilities and benefits of the ISSC
• Review of information security governance capabilities (opportunities and weaknesses)
• Operational best practices for the ISSC

Processes Optimized

• Committee inputs and outputs (SIPOC process flows)
• Committee cadence
• Agendas and operational procedures

Deliverables Completed

• ISSC charter
• ISSC purpose and scope
• ISSC accountabilities and responsibilities (RACI)
• ISSC stakeholder presentation
• Governance metrics for benefits management

Related Info-Tech Research

• Build an Information Security Strategy

  Tailor best practices to effectively manage information security

  All Research / Security / Security Strategy & Governance / Strategy & Governance

• Establish a Security Risk Governance Structure

  Managing risk can only go so far without the right support

  All Research / Security / Security Strategy & Governance / Governance, Risk & Compliance

Bibliography

“7 Tips for Presenting to Senior Executives.” PowerPoint Ninja, 21 Dec. 2009. Web.

“The 2017 State of Cybersecurity Metrics Annual Report.” Thycotic. 2017. Web.

Allen, Julia H. “Security Is Not Just a Technical Issue.” US-CERT. 13 May 2013. Web. 14 Aug. 2018.

Alsher, Paula. “Best Practices for Building Steering Committees and Project Teams.” IMA Worldwide. 16 Nov. 2017. Web. 14 Aug. 2018.

Braban, Troy. “Security Metrics That Your Board Actually Cares About!” RSA Conference 2015. San Francisco: 20-24 Apr. 2015 Web. 14 Aug. 2018.

Brotby, W. Krag. “Information Security Governance: Guidance for Boards of Directors and Executive Management 2nd Edition.” ISACA IT Governance Institute. 2006. Web. 14 Aug. 2018.

“Cybersecurity Strategy and Framework.” G7 Information Centre. 11 Oct. 2016. Web. 14 Aug. 2018.

dgdotto. “Fail to Plan, Plan to Fail.” visual.ly. 30 Apr. 2013. Infographic.

Ernest, Wesley. “Investing in Information Security: A Case Study in Community Banking.” SANS Institute InfoSec Reading Room. 6 Aug. 2016. Web.

Fimlaid, Justin. “The First 101 Days as a New CISO - A Chief Information Security Officer's Playbook.” NuHarbor Security. 21 June 2018. Web. 14 Aug. 2018.

Korhonen, Janne, Kari Heikkanen, and Juha Kykkänen. “Information Security Governance.” Strategic and Practical Approaches for Information Security Governance: Technologies and Applied Solutions. IGI Global: Feb. 2012. pp. 53-66. Web. 14 Aug. 2018.

Liesebrink, Michael. The Institutionalization of Information Security Governance Structures in Academic Institutions: A Case Study. Florida State University: 2011. PDF.

Bibliography continued

Lindros, Kim. “What Is IT Governance? A Formal Way to Align IT & Business Strategy.” CIO. 31 July 2017. Web. 14 Aug. 2018.

Magee, Kenneth. “IT Auditing and Controls - IT Governance and Controls.” InfoSec Resources. 13 Feb. 2015. Web. 14 Aug. 2018.

Mimoso, Michael S. "Security Steering Committee Force CISOs to Connect with the Business - Information Security Magazine." SearchSecurity. Jan. 2009. Web. 14 Aug. 2018.

Petty, Art. “Learn How to Succeed with Your Executive Presentation.” The Balance Careers. 14 Aug. 2017. Web.

Pironti, John P. “Developing Metrics for Effective Security Governance.” ISACA. March 2007. Web. 14 Aug. 2018.

Ponemon Institute. “The Evolving Role of CISOs and their Importance to the Business.” Sponsored by F5 Networks. August 2017. Web.

Pratt, Mary K. “Cybersecurity Governance Falls Short amid Rising Security Budgets.” SearchCompliance. June 2017. Web. 14 Aug. 2018.

Vela, Ryan. “Breach Defense Playbook: Cybersecurity Governance.” Dark Reading. 25 June 2015. Web. 14 Aug. 2018.

Veltsos, Christophe. “What Does PwC’s Annual Corporate Directors Survey Tell Us About Cyber Risks?” Security Intelligence. 17 May 2018. Web.

Watts, Stephen. “What is an IT Steering Committee? IT Steering Committees Explained.” BMC Blogs. 20 Nov. 2017. Web. 14 Aug. 2018.