Security Governance: The Eleven Most Important Functions of the Security Council

Cyber security is often considered the responsibility if the IT department. Nothing could be further from the truth. Although the IT team has certain responsibilities in deploying and maintaining security systems, the ultimate responsibility for maintaining a strong security culture lies with Senior Management.

Senior Management must first take on the responsibility of Security Governance.  This means managing security as a process, not unlike many other functions within the company. As such, the implementation and management of the process falls to others within the organization under the leadership of senior management.

In order accomplish proper security governance, organizations should form a Security Council consisting of departmental leaders from all aspects of the organization and led by senior management.

The functions of the Security Council include:

• Clearly identifying roles and responsibilities of council members

• Implementing and promoting a culture of security awareness and vigilance

• Adopting an appropriate security framework for the organization

• Performing a thorough risk assessment for the organization

• Determining a desired security "profile" for the organization

• Generating a gap analysis between the desired profile and the current state

• Developing and implementing a plan to address security gaps

• Developing and approving policies and procedures defining proper security practices

• Maintaining security though monthly meetings and regular audits

• Identifying new threats and adapting processes to address them

• Establishing a comprehensive Cyber Security Incident Response Policy

Each member of the council should have deep experience with the functions of their department and understand the sensitivity of the informational assets their department owns. For instance, the HR director should understand where employee records are stored and the ramifications if that information were subject to unauthorized access. The Finance director should understand the importance of the financial data they own and the impact of that data being compromised. The participation of department heads in the risk assessment process is crucial to the proper identification of information at risk.

Representatives of the IT department take feedback from the department heads and formulate plans to secure the data in accordance with adopted security framework. The IT department typically identifies and implements the tools necessary to monitor and manage the security of the organization's assets.

However, it is not the role of IT to drive a culture of security awareness. That must come from top. All employees must be made aware of the importance of security in the organization. This is accomplished through security awareness training and testing.  It is not enough to simply educate users on the dangers of phishing or malware. They must be tested regularly to make sure their radar stays sharp. Senior management, along with the security council must continuously audit the results of testing and take corrective action to deal with repeat offenders.

With senior leadership driving a strong security awareness culture, flanked by a strong security council organizations can protect themselves to a great degree.