Recently a met with an organization who mentioned to us that they had identified executive engagement in information security (or lack thereof) the biggest risk to their organization. It’s not to say that the organization’s executives didn’t care. The issue was that this organization had its hands in a number of other important activities, and securing the organization’s assets simply was not one of their top concerns.
But this raises a few questions – What does it mean for executives to be engaged in information security? How much buy in is enough for management? Is there a bare minimum standard for executive engagement?
So we started thinking, executives have a lot on their plates, so what should a busy executive do to sponsor an information security program without getting sucked into a black hole of too much engagement and allocating too much of his or her attention to the program. It seems to me executives have the responsibility to ensure that all the plates are spinning in the organization to continue pursuing the overarching business strategy. It takes a number of moving parts to achieve an organization’s mission. So what steps should they take to make sure the information security plate stays in the air?
Step One: Assign an information security champion (think senior project manager).
Step Two: Sign a charter for an information security steering committee, or add security responsibilities to the IS steering committee’s charter.
Step Three: Task the steering committee with documenting policies & procedures for how information security will take place in the organization.
Step Four: Support the steering committee in their efforts with other executives and in front of the organization as a whole.
Step Five: Monitor the committee’s progress and encourage them along the way.
Remember this is a journey, not a destination. This is a program, not a project. But like any part of an organization, the information security team needs executive support and guidance in order to help the organization to achieve their goals. Security is expensive and requires effort, but when balanced with other aspects of the business it can help the organization to be healthy and succeed in the long term.