A recent Ponemon Institute survey found that 64 percent of IT professionals don’t communicate security risk with senior executives or only communicate them when a serious security risk is revealed.
This is detrimental to the security of any business because it puts executives in a position to be reactive and not proactive to their organization’s information security needs. Being reactive makes room for breach, data loss and business costs; something no enterprise executive wants.
The big question is what can leadership do to change from reactive to proactive when it comes to information security risks?
One solution is forming an Information Security Steering Committee (ISSC). You can do this by creating a board composed of the executives in different departments of your business and implement a set of meetings every so often (to be determined on a need basis) to discuss information security system status and problems.
Your ISSC board should be composed of (at least) the CEO, CIO, IT manager, HR executive and Legal executive.
All five of these business executives take care of different aspects when it comes to running the business, but they hold some major common components; which is why they need to gather and discuss information security.
The common components include: decision making, communicating those decisions to everyone and implementing them. Basically, if anything needs to change they are the ones to okay it, deny it and spread the word.
The CEO, HR and Legal executive are not the experts in the field of IT or security, which is why they need the CIO and IT manager. The CIO and IT manager can not move forward with budget needs, policies and procedure distribution and training implementation without the green light from leadership. As for the Legal executive, it is to everyone’s benefit that he/she is there because they will know the law and requirements for compliance regulations that can avoid businesses penalties.
The five business executives need to coordinate and work together if they are going to keep their business’ security effective and proactive. When they join together this will also allow for everyone to be objective about their information security resources and whether or not they will need outside help to achieve a proactive and strong information security system.
How are you trying to make your business proactive to information security risks?
Photo Courtesy of The U.S. Navy