Data breaches will happen. It’s not a question of if, but when. Whether it’s criminals hacking Sony Pictures or attackers causing a massive data breach at Anthem Medical, all industries are vulnerable to a cyber attack. The impact is quite damaging: legal liabilities, brand reputation, customers and partners, and ultimately, revenue. The average cost of a breach is now up to $ 4 million, according to a 2016 Ponemon study .
Security is, and should be, a concern for all employees in an organization. However, leadership must be responsible for establishing and maintaining a framework for information security governance. Information security governance is the success or failure of an enterprise security program.
Whether it is the board of directors, executive management or a steering committee – or all of this – information security governance requires strategic planning and decision-making.
Despite the threats of cyber attacks and data breaches, organization can take proactive steps to better position themselves for successful security governance. What are five best practices for information security governance:
1. Take a holistic approach
Security strategy is about aligning and connecting with business and IT objectives. A holistic approach can provide leadership with more levels of control and visibility.
What data needs to be protected? Where are the risks? Take a unified view of how information security impacts your organization and how employees view security. Get early buy-in from key stakeholders, such as those in the IT, sales, marketing, operations and legal departments. Scope out what data needs to be protected and how it fits into the larger picture.
2. Increase awareness and training
Although developed by leadership, information security governance. Governance creates policies and assigns accountabilities, but each member is responsible for following the security standards.
Constant training and education on security best practices is vital. The cyber threat landscape is about to change and employees, and company training, must keep up.
3. Monitor and measure
Information security governance should never be set up, but it should not be “What are the policies?
Conduct mock data breach scenarios to test the efficacy of corporate teams and company incident response plans. Test results can reveal strong and weak links.
4. Foster open communication
Stakeholders should feel free to contact them directly, even when sharing bad news. Open communication promotes trust and brings a higher level of visibility throughout the organization.
Engagement is key. Considering a steering committee of executive and key team leads (IT, marketing, finance, public relations, legal, operations, etc.) to review and assess current security risks.
5. Promote agility and adaptability
Gone are the days of monolithic, cumbersome governance; Organizational need to adapt quickly to meet the changing tide of security threats. IT management, which is concerned with making tactical decisions on security risks, may have some hands-on experience and opinions on the effectiveness of a particular security policy, but their recommendations can only be made without C-suite support. Leadership must quickly determine how to implement proposed changes throughout the organization. And if a security governance policy is ineffective, leadership must be willing to jettison the policy.
Overall, successful information security governance involves a continuous process of learning, revising and adapting. Organization need to be proactive and strategic with their security posture. Threats and incidents are inevitable, but moving strategic security to the forefront of your organization can help protect valuable information.
Download the full Diligent white paper: Five Best Practices for Information Security Governance
January 10, 2020
Identifying the Problems with Other Board Portals
What makes a board portal effective, and what problems arise when it is not? Company directors and company secretaries all recognise the value of a high-quality board – 65% of all ASX-quoted companies already use Diligent’s board portal as part of its Governance Management software. Australian economist and company director…
December 2, 2019
Diversity: The business case for boards
Diversity is falling on ASX 200 boards. According to October data from the Australian Institute of Company Directors (AICD), currently, these boards are 29.5 per cent female, down from 26.7 per cent in July. Further, 31.7% of board appointees in 2019 are women, down from 45% in 2018. Of course,…
September 27, 2019
Not-for-Profit Digital Strategies
Australian Not-for-Profit organisations have been slow to adopt digital strategies, and have, consequently, become less competitive. That is the result of a study released in September 2019 by the Queensland University of Technology. “In a highly competitive funding environment, the Not-for-Profit sector faces new challenges in…