Chief information security officers (CISOs) and security specialists often complain about the disinterest of senior management in information security. The lack of participation of management and the board of directors (BoD) in the governance of information security is a reality in many organizations. The stereotype that senior management is only interested in information security during incidents or when establishing budgets has not completely disappeared despite the positive evolution of practices observed in recent years, especially with a greater awareness of cybersecurity threats. The propensity of senior management to delegate decisions concerning security program to IT or to operations is still present despite many advances in governance practices, especially stimulated by regulations or digital transformations. The nature and the dependence of the business on information security also plays a large role in the willingness of senior management to participate in the information security governance process.
One can argue for a long time about the reasons and potential remedies, but the main reasons should be sought in the following areas: technology (often incomprehensible terminology), organization (positioning and responsibilities of information security teams) and strategic alignment (information security is not perceived as essential for the performance of the organization in general). Without a thorough understanding of the benefits of information security, senior management will tend to view security costs as an insurance premium covering a broad spectrum of threats without really understanding them, or a necessary expense required to remain compliant. Understanding the added value of information security to the business is the sine qua non for senior management involvement in the process of information security governance.
Therefore, security officers are asking themselves how they can change this situation and bring the process of running a security program closer to the real challenges of the organization. Repositioning CISOs to higher levels of responsibility, reporting directly to the C-level, helps improve the situation, but organizational changes alone are not enough. Solutions must be sought in a strategic alignment, in the establishment of a standardized reporting process at the highest level of the company and in the provision of acceptable and understandable metrics for information security. The CISO must lead the cultural change and propose a review process based on systematic reporting and clear, acceptable metrics allowing senior management to take ownership of decisions concerning information security in a holistic way.
Security officers should build information security metrics and reports that are useful to senior management. As long as the proposed key performance indicators (KPIs) and the format of the security report encompass the answers to the questions senior management have, a review process based on these elements can be readily accepted. By improving the content of information security reports, the involvement of senior management in the governance of information security will become a reality.
To involve senior management in the governance process, it is essential to articulate the added value of information security using language (terminology) they understand. High-level KPIs and reports that underline the contribution of information security to organization results (by supporting strategic initiatives or reducing operational risk) can only be beneficial for a better involvement of senior management in the information security governance process. By offering KPIs and an understandable reporting system, the CISO will have the opportunity to be profiled as a valued partner alongside other business line managers. KPIs and the content of the reports should then be reviewed and adapted continually to respond as closely as possible to the concerns of senior management in the organization.
Editor’s note: For further insights on this topic, read Andrej Volchkov’s recent Journal article, “Key Performance Indicators for Security Governance, Part 1”.