Avoid the 2 common mistakes when formalizing information risk governance

Governance of information risks is usually pretty informal. The Information Risk function has to do most of the work identifying risks and trying to get others to “do the right thing”, whether that be to not click on links in random emails, to code applications securely, or to conduct thorough due diligence before business process outsourcing.

For obvious reasons, we would like this governance to be more formal. If everybody knew when risk decisions needed to be made, and who should make them, fewer things would slip through the cracks and the security function wouldn’t have to do so much of the work!

However, we believe that many organizations that try to formalize information risk governance go about it the wrong way. Conventional wisdom states that governance should be driven by organizational structure, culture, and business demand. One common formal mechanism is the ‘security steering committee’, where a group of cross-functional stakeholders come together to make information risk-related decisions. But we see a lot of challenges around these steering committees:

  • They can be hard to implement
  • People are already on too many committees, and they tend to feel the security committee isn’t important enough to be worth their time
  • With information risks touching more and more of the enterprise, there is the temptation to keep adding people to the committee–but this just wastes more peoples’ time and decreases the effectiveness of the committee.

Another approach instead of the steering committee is to say “Security is just a consultant to the business, the business owns the risks, we in Security just help them make the right decisions”. If you press on this, though, you will find that Security will not let managers make overly risky decisions without elevating the question to a higher level–the seat of governance gets complicated! Also, Security does so much work framing the decisions–especially technical ones–that it begs the question who is really making the decision.

What is getting lost when formalizing governance with steering committees or by offloading responsibility to the business, is the nuance we use when governance is informal. In more informal settings, we react in an ad hoc way to each scenario, intuitively factoring in the size of the risk, the type of risk, and who is affected, and just talking with the right people until a solution is reached. Like most ad hoc processes, this is inefficient and prone to lapses, but why can’t we keep what is good about it when formalizing risk governance?

We at IREC think we have a better way. We have been talking with CISOs about a “Decision Responsibility Matrix.” Don’t rigidly route all your decisions either to a standing steering committee, or back to the business. Instead, look up the risk in question in a defined, principled, previously-agreed-upon matrix that incorporates the size of the risk, the type of the risk, and the owner of the risk. This matrix would tell you who has decision rights for that risk (maybe the CISO, maybe a committee, maybe an individual), and what process to follow to make the decision.

Some of our members have something like this already. We would love to hear from others who have something like this that is working, or who have tried it and had it not work.

Advertisements
Explore posts in the same categories: Information Risk Governance

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: