Security Boards – structure, function and use

Security Boards

structure, function and use

Flavio Gerbino
by Flavio Gerbino
time to read: 7 minutes

Keypoints

  • Focus on qualitative strengthening of information security
  • Systematic anchoring of information security in business processes
  • Standardization of information security, practices and methods
  • Risk-adjusted allocation of resources
  • Optimal task solution through knowledge exchange and complementarities
  • Consideration of managerial, specialist and user acceptance, and business requirements through participation of various stakeholders
  • Ensuring strategic alignment

The issues behind information security are diverse, complex and increasingly fragmented. This applies in particular to the relevant legislative and regulatory developments and framework conditions. What’s more, short-term trends and hype around IT, communications technology and information security are emerging constantly (cybersecurity, blockchain, APTs, cloudification, big data etc.), so coordinated evaluation of every aspect that can affect a company’s security is of major strategic importance.

A company’s financial resources also require managers and decision makers to invest wisely. That is, recognition of which trends are unlikely to endure and investment in new technologies and security innovations only if they can demonstrate the level of maturity required for operational use.

In order for it to succeed and keep pace with all these requirements and developments requires continuous targeted initiatives in the structure and development of information security. Within the company, these factors can be recorded, discussed, coordinated and determined by a security board.

A security board is a committee, a steering instrument that identifies, discusses, coordinates, processes and determines security issues and topics in an interdisciplinary, overarching manner.

What makes a secure company?

Analysis of competencies in the implementation of IT and security in secure companies shows that:

A security board is the right instrument for creation of precisely these conditions in a company.

The security board acts as a hub that coordinates all the multi-faceted internal and (vague) external requirements, topics and challenges around security, as well as the IT competencies and functions at hand. This ensures a balance that enables decisive impetus for coordinated strategic thrust in information security through coordinated decision making. The security board provides clear structures as a frame of reference and so assumes the role of central coordination point, while also facilitating greater, broader-based common sense in information security.

Characteristics

Construction and establishment of a functioning security board within a company requires consideration of the following points:

Main tasks and characteristics of the board

Organizational aspects

Participation in and management of the Security Board

The security board should be set up in accordance with the size, complexity and risk profile of the company and must be sufficiently endowed with the necessary expertise and technical resources to enable it to fulfill its mandate efficiently and comprehensively. Members of the security board should be officially nominated and each member should have a qualified deputy. Further departments, experts, project managers, external consultants, etc, can be summoned as needed.

The chair should come from senior management within an information security or risk management context. The CISO is typically a good fit for this role. The security board chair not only chairs the meeting, but is also an active member of the panel, who along with ensuring correct proceedings of the security board also pursues their own interests and tasks, strategies and goals, and brings their own subjective commitments for the benefit of the whole. They must also lead discussions with expertise and empathy, both for the orderly proceedings of the session and also to ensure discussions and negotiations are as well structured and fruitful as possible.

Tasks in the context of governance

In this context, the security board assumes responsibility for putting interdisciplinary and thematic requirements into practice, turning them into readily comprehensible and feasible measures. It will also determine which subject areas of information security and risk management must be regulated and how the roles and responsibilities in the application of regulated areas appear. These include:

Conclusion

A security board can fulfill and ensure a broad spectrum of essential security and risk tasks through an interdisciplinary approach. Efficient use of existing synergies allows overarching company goals in the area of security to be reached.

About the Author

Flavio Gerbino

Flavio Gerbino has been in information security since the late 1990s. His main areas of expertise in cybersecurity are the organizational and conceptual security of a company.

Links

You need professional Vulnerability Management?

Our experts will get in contact with you!

×
Active Directory certificate services

Active Directory certificate services

Eric Maurer

Specific Criticism of CVSS4

Specific Criticism of CVSS4

Marc Ruef

The new NIST Cybersecurity Framework

The new NIST Cybersecurity Framework

Tomaso Vasella

Ways of attacking Generative AI

Ways of attacking Generative AI

Andrea Hauser

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here