- Security is still seen as an IT problem rather than a business risk, resulting in security governance being relegated to the existing IT steering committee.
- Security is also often positioned in the organization where they are not privy to the details of the organization’s overall strategy. Security leaders struggle to get the full enterprise picture.
- Work to separate the Information Security Steering Committee (ISSC) from the IT Steering Committee (ITSC). Security transcends the boundaries of IT and needs an independent, eclectic approach to make strategic decisions.
- Be the lawyer, not the cop. Ground your communications in business terminology to facilitate a solution that makes sense to the entire organization.
- Develop and stick to the agenda. Continued engagement from business stakeholders requires sticking to a strategic level-focused agenda. Dilution of purpose will lead to dilution in attendance.
Impact and Result
- Define a clear scope of purpose and responsibilities for the ISSC to gain buy-in and consensus for security governance receiving independent agenda time from the broader IT organization.
- Model the information flows necessary to provide the steering committee with the intelligence to make strategic decisions for the enterprise.
- Determine membership and responsibilities that shift with the evolving security landscape to ensure participation reflects interested parties and that money being spent on security mitigates risk across the enterprise.
- Create clear presentation material and strategically oriented meeting agendas to drive continued participation from business stakeholders and executive management.
This guided implementation is a seven call advisory process.
Guided Implementation #1 - Define committee purpose and responsibilities
Call #1 - Identify the responsibilities and duties of the ISSC.
Call #2 - Draft the committee purpose of the ISSC.
Guided Implementation #2 - Determine information flows, membership & accountabilities
Call #1 - Determine SIPOC modeling of information flows.
Call #2 - Determine accountabilities and responsibilities.
Guided Implementation #3 - Operate the Information Security Steering Committee