Organizations are becoming increasingly aware that if they fail to implement successful security management processes, it could expose them to untenable risk.

The role of the corporate information security steering committee has become an essential tool in the quest for a coordinated corporate security strategy, for reducing duplication in security spending, taking control of complex infrastructures, and, ultimately, reducing security risk. 

One of the first steps for many organizations has been to set up a common security team and embark on enterprise-wide information security programs. However, many of these teams have struggled to align corporate business objectives with strategic security investment.

META Group's research indicates that the majority of new security teams struggle to define and establish their corporate missions, scope, influence, and power bases. Furthermore, these security teams have poorly defined executive charters and operate without effective communications plans. The unfortunate result of such poor grounding is the temptation for newly established teams to immerse themselves in technology quests, searching for elusive enterprise-wide technical solutions.

In contrast, the most effective security organizations are those with clear responsibilities and well-defined processes based upon five primary organizational roles:

• Leadership - this is the role of the chief information security officer who deals with both the day to day management of the security team as well as continuous communication of the importance and value of security measures

• Analysis/design - these security analysts help information owners develop meaningful security policies as well as adequate security solutions

• Security administration - these people look after the day to day administration of access rights, passwords, etc

• Security operations - resources that continuously monitor the organization's security status and manage incident response procedures.

• Awareness communication - resources that design and manage ongoing security awareness and training programs. 
  Executive custody and governance -represented by an information security committee

The role of the corporate security steering committee is to coordinate corporate security initiatives at the executive level and thus enable an organization to optimize spending, manage their infrastructure, and minimize security risk. Obtaining consensus and support for corporate-wide security initiatives is especially difficult in highly decentralized and multinational organizations with devolved authority and autonomy. In this type of organization, an executive governance body becomes essential.

Corporate information security steering committees (CISSC) must have a clear charter with a range of functions that should include:

• Managing the development and executive acceptance of an enterprise security charter.

• Assessing and accepting corporate-wide security policy (e.g., the corporate policy on security incident response, general behavioral approach). This function's primary objective is to ensure that business requirements are reflected in the security policy, thus ensuring that the procedure enables rather than restricts business operations.

• Assessing any requests for policy exceptions from individual business units.

• Assessing, accepting, and sponsoring corporate-wide security investment (e.g., identity infrastructure deployment, remote access infrastructure) and requests to be excluded from common investment.

• Providing a forum for discussion and arbitration of any disputes or disagreements regarding common policy or investment issues.

• Acting as custodian and governance body of the enterprise security program by ensuring visible executive support and monitoring progress and achievements. The role of a permanent governance structure reinforces the message that enterprise security becomes an ongoing, long-term initiative.

• Assessing and approving the outsourcing of common security services and coordinating investment of inappropriate relationship management resources. As the lack of skilled resources increases the need to outsource operational services, executive due diligence, risk assessment, and ongoing effectiveness assessment must be coordinated through the steering committee.

• Initiating ad hoc projects to investigate the advantages, disadvantages, risks, and costs of common security initiatives and advising the committee with appropriate recommendations.

• Representing the executive (board of directors) or its nominated information governance body (e.g., an information executive board) in all corporate security matters. Reporting back to these forums on the activities and effectiveness of corporate security programs and investments.

• Acting as custodian of corporate-wide strategic security processes (e.g., role analysis, data classification) by validating process ownership, responsibilities, and stakeholders.

• Acting as the respondent to enterprise-level audit exceptions (i.e., those audit exceptions where a specific individual cannot be found to be responsible).

• Coordinating and validating any external, security-related corporate communications plans and activities (e.g., in the event of a high-profile, publicized security breach).

• Tracking major line-of-business IT initiatives to identify synergy opportunities or leverage security investment.

• Governing trust relationships with major e-business partners.

It is essential that steering committee members can make decisions at meetings. This requires the active participation of senior executive business managers, or it must be a permanent subcommittee of an organizational information board. To prevent the committee from becoming an ineffective 'debating society' or forum for driving political agendas, the committee's scope, powers, and objectives should be documented and measured.

Typical members of an information security steering committee include all line of business managers, application owners, regional managers, IT managers, the IT director, the chief security officer, the corporate risk manager, and the chief internal auditor. A clear distinction must be made between the role of the CISSC (i.e., executive custody and governance) and the leadership role (i.e., day-to-day management of the security team) of the chief information security officer.

By developing the emerging role of the chief security officer (CSO) and the security team, enterprises can foster a holistic approach to information security - one that recognizes that policy, process, and communication are as important as technology.