Improve Security Governance with a Security Steering Committee

Ensure executive leadership, strategic decision making and effective oversight of cyber risk.
 Join Now

If you're already a member, click here to log in.

Major Business Pain Points

  • Security is still seen as an IT problem rather than a business risk, resulting in security governance being relegated to the existing IT steering committee.
  • Security is also often positioned in the organization where they are not privy to the details of the organization’s overall strategy. Security leaders struggle to get the full enterprise picture.
Improve Security Governance with a Security Steering Committee-Pain Points

Recommendations

Key Points

  • Work to separate the Information Security Steering Committee (ISSC) from the IT Steering Committee (ITSC). Security transcends the boundaries of IT and needs an independent, eclectic approach to make strategic decisions.
  • Be the lawyer, not the cop. Ground your communications in business terminology to facilitate a solution that makes sense to the entire organization.
  • Develop and stick to the agenda. Continued engagement from business stakeholders requires sticking to a strategic level-focused agenda. Dilution of purpose will lead to dilution in attendance.

Approach

Improve Security Governance with a Security Steering Committee-Recommendations
  • Define a clear scope of purpose and responsibilities for the ISSC to gain buy-in and consensus for security governance receiving independent agenda time from the broader IT organization.
  • Model the information flows necessary to provide the steering committee with the intelligence to make strategic decisions for the enterprise.
  • Determine membership and responsibilities that shift with the evolving security landscape to ensure participation reflects interested parties and that money being spent on security mitigates risk across the enterprise.
  • Create clear presentation material and strategically oriented meeting agendas to drive continued participation from business stakeholders and executive management.
 Subscribe to Premium

Methodology and Tools

Executive Brief

Read the concise Executive Brief to find out how to improve your security governance with a security steering committee and review the methodology.

  • Improve Security Governance with a Security Steering Committee – Executive Brief
  • Improve Security Governance with a Security Steering Committee – Phases 1-3

1. Define committee purpose and responsibilities

Identify the purpose of your committee, determine the capabilities of the committee, and define roles and responsibilities.

  • Improve Security Governance with a Security Steering Committee – Phase 1: Define Committee Purpose and Responsibilities
  • Information Security Steering Committee Charter

2. Determine information flows, membership & accountabilities

Determine how information will flow and the process behind that.

  • Improve Security Governance with a Security Steering Committee – Phase 2: Determine Information Flows, Membership & Accountabilities

3. Operate the Information Security Steering Committee

Define your meeting agendas and the procedures to support those meetings. Hold your kick-off meeting. Identify metrics to measure the committee’s success.

  • Improve Security Governance with a Security Steering Committee – Phase 3: Operate the Information Security Steering Committee
  • Security Metrics Summary Document
  • Information Security Steering Committee Stakeholder Presentation

All resources on this page are provided to Cyber Leadership Hub members under license from third parties including Info-Tech Research Group Inc, a global leader in providing IT research and advice.