Q. My organization is about to revamp our information protection program. Can you provide any guidance as to how to make sure it’s holistic and will be embraced by all?
A. In my experience information security professionals tend to focus on the technical aspects of an information protection program. It’s natural to stick to the things we are really good at like network architecture design and intrusion detection systems. However, we need to keep in mind that any security program must be relevant to business goals, or in other words, security must align with the business. How can we effectively defend a request for a business expense without truly understanding and communicating how that expense will enhance the business? If you have not found out already, spouting off technical specs to executive management is not the way to get your purchase approved.
One of the most effective ways to help ensure information protection strategies are holistic and align with the business is by forming a cross-functional governance group. You want to ensure that all stakeholders affected by the information security program are involved, which means having executives of all the various business functions take part in this governance group or steering committee. The governance team will aid you in establishing a framework that ensures that the information security program: 1) meets the entire organization’s needs, 2) adds benefits that outweigh the costs, 3) is relevant to the business and that relevancy can be communicated to executive management.
There are eight basic objectives that this governance team will help address:
1) Develop the information protection strategy in support of business strategy and direction.
2) Obtain executive management commitment and support.
3) Ensure the definition and implementation of roles and responsibilities throughout the organization is one that emphasizes the edict that the security executive is a facilitator and not an enforcer.
4) Establish reporting and communication channels that support and promote information protection activities.
5) Identify and assess the impact of current and potential legal and regulatory issues.
6) Establish and maintain policies that support business goals and objectives.
7) Ensure the development of procedures and guidelines that reinforce the policies.
8) Develop business case and organization value analysis that defends information protection program investments.
In essence, the governance team forms a communication channel for senior management’s goals and thereby ensures alignment of the information protection program with the organization’s objectives. If this is done correctly it will naturally lead to a holistic security program. In addition, it assists with perhaps the most difficult part of information protection for information security practitioners -- the building of strong working relationships with leaders of the business functions outside of security that can result in gaining their buy-in and support.The book "Information Protection Playbook" edited by Kane and Koppel provides more information about how to achieve these objectives as well as developing an information protection framework.
Answer provided by Greg Kane, Security Executive Council staff.