Trial lock

This Research is for Members Only

Not a member? Unlock a free sample of our research now!

Already a member?

Sign in now

Security icon

Improve Security Governance With a Security Steering Committee

Build an inclusive committee to enable holistic strategic decision making.

Unlock a Free Sample

View Storyboard

Solution Set Storyboard Thumbnail

Your Challenge

  • Security is still seen as an IT problem rather than a business risk, resulting in security governance being relegated to the existing IT steering committee.
  • Security is also often positioned in the organization where they are not privy to the details of the organization’s overall strategy. Security leaders struggle to get the full enterprise picture.

Our Advice

Critical Insight

  • Work to separate the Information Security Steering Committee (ISSC) from the IT Steering Committee (ITSC). Security transcends the boundaries of IT and needs an independent, eclectic approach to make strategic decisions.
  • Be the lawyer, not the cop. Ground your communications in business terminology to facilitate a solution that makes sense to the entire organization.
  • Develop and stick to the agenda. Continued engagement from business stakeholders requires sticking to a strategic level-focused agenda. Dilution of purpose will lead to dilution in attendance.

Impact and Result

  • Define a clear scope of purpose and responsibilities for the ISSC to gain buy-in and consensus for security governance receiving independent agenda time from the broader IT organization.
  • Model the information flows necessary to provide the steering committee with the intelligence to make strategic decisions for the enterprise.
  • Determine membership and responsibilities that shift with the evolving security landscape to ensure participation reflects interested parties and that money being spent on security mitigates risk across the enterprise.
  • Create clear presentation material and strategically oriented meeting agendas to drive continued participation from business stakeholders and executive management.

Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out how to improve your security governance with a security steering committee, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

1. Define committee purpose and responsibilities

Identify the purpose of your committee, determine the capabilities of the committee, and define roles and responsibilities.

2. Determine information flows, membership & accountabilities

Determine how information will flow and the process behind that.

3. Operate the Information Security Steering Committee

Define your meeting agendas and the procedures to support those meetings. Hold your kick-off meeting. Identify metrics to measure the committee’s success.

Guided Implementations

This guided implementation is a seven call advisory process.

Guided Implementation #1 - Define committee purpose and responsibilities

Call #1 - Identify the responsibilities and duties of the ISSC.
Call #2 - Draft the committee purpose of the ISSC.

Guided Implementation #2 - Determine information flows, membership & accountabilities

Call #1 - Determine SIPOC modeling of information flows.
Call #2 - Determine accountabilities and responsibilities.

Guided Implementation #3 - Operate the Information Security Steering Committee

Call #1 - Set operational standards.
Call #2 - Determine effectiveness metrics.
Call #3 - Understand steering committee best practices.