Back to Insights
Beaver: Time to Revamp Your Security Committee
August 21, 2017 | Security Policies and Strategy
By Kevin Beaver, IANS Faculty
Do you have a security committee? If so, does it truly add value to the business or is it just another means of wasting precious time? I’ve seen security committees that are all over the map, but it's rare to come across one that's getting things done and truly improving the information security function. More often than not, these committees exist on paper and (somewhat) in spirit but if and when they do meet, it's only to talk about ongoing security-related projects. There's often no real leadership.
Instead of talking about big-picture items like how to minimize information security risks and how security is helping to support business operations, these committee meetings are typically more about the short-term. In other words, they cover things like the status of a security technology implementation, how to best answer the latest 30-page security questionnaire or how to keep frustrated users off IT's back after a newly implemented domain password policy. In the end, there’s no real vision. It tactical, not strategic.
I certainly don't envy IT and security professionals who are working their tails off trying to do what's right by thinking long-term and addressing big-picture security items. But many security programs are in disarray not only because of a lack of leadership – part of which includes a functional security committee – but also because of expectations from management to meet the needs of customers, business partners and auditors. All of this is expected with a limited budget and minimal political backing to accomplish things.
In essence, the average security committee is not much more than IT and security staff members going through the motions to meet and discuss security projects so that they can somehow demonstrate to management that things are getting done. This challenge is nothing more than the decades-old assumption by management – and many others – that security is IT's problem.
Making the Improvements
Have you stopped to look at your existing security committee to see what can be improved? Perhaps you're looking to form a committee to help push along your security initiatives? As the saying goes: if it's worth doing, then it's worth doing right. Considering the following questions can help put you on the right path to increasing the effectiveness of your committee:
- What are the goals of the security committee? If you haven’t figured these out, you cannot possibly know whether the group is headed in the right direction. Also, be sure to measure performance to ensure that higher level business goals are being met.
- Who are the members of the committee? Is it just IT and security personnel or is there a diverse mix of representatives from key business functions, including operations, legal, and HR?
- Is there a leader of the group? Perhaps it's your CISO or other executive who can help effect change at the highest levels of the business. If not, there needs to be someone in charge.
- How often do you meet? Anything beyond every three to six months is likely overkill and diluting the value of the committee's mission.
- When you do meet, is everyone engaged? I can’t tell you how many security (and other) committees I’ve been on where many of the members are just sitting around half asleep waiting for everyone else to make a decision. This “bystander apathy” facilitates a lot of negativity in and around security, including decisions that are never made and actions that are never taken.
- What topics are you covering? Is it more than simple project updates? Make sure you’re having discussions about both short- and long-term goals involving risk analyses, metrics, incident response and the like.
Until infosec professionals and the security function as a whole have the proper backing and forward momentum, these committees will merely represent a false sense of security. Risks will likely escalate and incidents will undoubtedly occur. If you’re going to have a committee as part of your information security program, you need to make sure it’s a good one.
Comedian Fred Allen once said “a committee is a group of people who individually can do nothing, but who, as a group, can meet and decide that nothing can be done.” Your committee needs to be better than this! If it’s not, you’re just going through the motions of checking yet another box which, in the long run, serves little purpose and can do more harm than good.
| Event Takeaway
Handling Chaos: Thriving When Policy and Business Priorities Clash
| Tools & Templates
Comprehensive Security Policy Generator
| Tools & Templates
Information Security Job Description Templates
| Tools & Templates
CISO Impact Security Process Maturity Matrix