- Focus on qualitative strengthening of information security
- Systematic anchoring of information security in business processes
- Standardization of information security, practices and methods
- Risk-adjusted allocation of resources
- Optimal task solution through knowledge exchange and complementarities
- Consideration of managerial, specialist and user acceptance, and business requirements through participation of various stakeholders
- Ensuring strategic alignment
The issues behind information security are diverse, complex and increasingly fragmented. This applies in particular to the relevant legislative and regulatory developments and framework conditions. What’s more, short-term trends and hype around IT, communications technology and information security are emerging constantly (cybersecurity, blockchain, APTs, cloudification, big data etc.), so coordinated evaluation of every aspect that can affect a company’s security is of major strategic importance.
A company’s financial resources also require managers and decision makers to invest wisely. That is, recognition of which trends are unlikely to endure and investment in new technologies and security innovations only if they can demonstrate the level of maturity required for operational use.
In order for it to succeed and keep pace with all these requirements and developments requires continuous targeted initiatives in the structure and development of information security. Within the company, these factors can be recorded, discussed, coordinated and determined by a security board.
A security board is a committee, a steering instrument that identifies, discusses, coordinates, processes and determines security issues and topics in an interdisciplinary, overarching manner.
What makes a secure company?
Analysis of competencies in the implementation of IT and security in secure companies shows that:
- security goals are aligned with IT strategy, which in turn is aligned with corporate strategy
- organizational structures are developed that enable the sound implementation of security and its goals
- the leading culture is of constructive relationships and effective communication between IT security and the relevant departments
A security board is the right instrument for creation of precisely these conditions in a company.
The security board acts as a hub that coordinates all the multi-faceted internal and (vague) external requirements, topics and challenges around security, as well as the IT competencies and functions at hand. This ensures a balance that enables decisive impetus for coordinated strategic thrust in information security through coordinated decision making. The security board provides clear structures as a frame of reference and so assumes the role of central coordination point, while also facilitating greater, broader-based common sense in information security.
Construction and establishment of a functioning security board within a company requires consideration of the following points:
- structural characteristics
- organizational and administrative processes
Main tasks and characteristics of the board
- Generation of the essential decision-making basis for assignment of responsibility for information security and IT risks within the company.
- Alignment of security with IT, as well as core business and protection requirements.
- Identification of trends and developments in IT and security (not only technical).
- Hub for all aspects of security, including communication and information.
- Integration of all key participants in security decision making.
- The security board can also be summoned as a crisis committee in the monitoring and processing of security incidents (virus outbreaks, IT outages, emergency patches, vulnerabilities and other security events).
- Security is also based on development of practices by the security board that enable the implementation of security and its goals, and which create constructive relationships and effective communication between IT security and other departments.
- General strengthening of cohesion within the company in relation to security awareness, generation of synergy effects, minimization of poor decisions and qualitative strengthening of IT security.
- The security board’s work makes efforts in terms of security visible.
- Management receives proof of performance of the adequacy of security.
- One such aspect is the meeting schedule, which defines the frequency of meetings/sessions.
- Consideration must also be given to the conditions under which extraordinary security board meetings can be called, by whom and when.
- The agenda/agenda items must be defined. Topics can be chosen from a road map, projects, plans, initiatives, current security developments within and outside the company, and security appraisals arising from daily business in the various teams. Members of the security board should be free to propose security topics that they consider important, which can be logged as agenda items.
- There should be clear agreement on how a quorum is formed, including method and escalation procedures in the event of disagreement. It is particularly important for the board to maintain a unified front after decisions have been made. Within the board, decisions can be made by such methods as the consensus or majority principle.
- Under the consensus principle decisions are made without dissenting votes. All members must be in agreement, or at least prepared to relinquish or put aside their dissenting opinion or reservations about the decision in the general interest.
- Should the consensus principle fail to result in a decision, a majority decision can be reached. A decision is taken based on the proposal that receives the most votes. If no decision is reached within a reasonable timescale, the chair of the security board can be granted a casting vote in order to transform parity into majority. In the event of a protracted inability to reach a decision, senior management represents the final stage of escalation.
- The security board must determine how it plans to fulfill its requirements in the areas of reporting and minutes taking: The reporting more or less represents the external communications of the security board and presents the key conclusions of operational work to the expanded circle of stakeholders and peers, while minutes taking is about internal communications. The minutes document statements, findings and agreements, and recreate the sequence of discussions. The goal is a complete picture of the issues and discussion of a session through a chronological record of the arguments, propositions and controversies that occur within the session. In the interests of a sober and objective account of the events in the meeting, all findings, decisions, commitments to further procedures, open issues, status of topics, appointments and assignment of tasks must all be included. On conclusion of the session, all present must be clear about how the agreed tasks are to be implemented.
Participation in and management of the Security Board
The security board should be set up in accordance with the size, complexity and risk profile of the company and must be sufficiently endowed with the necessary expertise and technical resources to enable it to fulfill its mandate efficiently and comprehensively. Members of the security board should be officially nominated and each member should have a qualified deputy. Further departments, experts, project managers, external consultants, etc, can be summoned as needed.
The chair should come from senior management within an information security or risk management context. The CISO is typically a good fit for this role. The security board chair not only chairs the meeting, but is also an active member of the panel, who along with ensuring correct proceedings of the security board also pursues their own interests and tasks, strategies and goals, and brings their own subjective commitments for the benefit of the whole. They must also lead discussions with expertise and empathy, both for the orderly proceedings of the session and also to ensure discussions and negotiations are as well structured and fruitful as possible.
Tasks in the context of governance
In this context, the security board assumes responsibility for putting interdisciplinary and thematic requirements into practice, turning them into readily comprehensible and feasible measures. It will also determine which subject areas of information security and risk management must be regulated and how the roles and responsibilities in the application of regulated areas appear. These include:
- Ensuring fulfilment of statutory requirements and contractual conditions
- Avoidance of IT problems that may negatively affect (damage) the value and image of the company
- Ensuring that IT is supported in the area of security and enabling it to reach company goals
- Management of risk
- Ensuring the development of knowledge through IT and security, and maintaining it in the long term
- Identification of trends and developments, and early detection of legislative changes and adjustments in the regulatory environment
A security board can fulfill and ensure a broad spectrum of essential security and risk tasks through an interdisciplinary approach. Efficient use of existing synergies allows overarching company goals in the area of security to be reached.
About the Author
Flavio Gerbino has been in information security since the late 1990s. His main areas of expertise in cybersecurity are the organizational and conceptual security of a company.