5 Key People You Need On Your Information Security Steering Committee

In recent years, high-profile data breaches have led to corporate crises, the resignations of C-suite executives, and substantial financial, regulatory, litigation and reputational harm for companies. Cyber security has become a paramount corporate governance issue.

In establishing a cyber security risk management framework, there are five key people you need on your Information Security Steering Committee –

Chief Information Officer – They represent all things information across the company. The CISO may or may not report directly to them but its essential that the CISO’s - CIO’s activities are clearly aligned.

Information Technology Representative – They represent all things Information Technology across the company and may well be seen by the business as more ‘Operational’. They manage day to day operational security tasks such as antivirus deployment, service desk provision, regular backups, event logging, server configuration, etc.

Human Resources Representative – They represent all things people across the organisation, there interest focus on the committee would be pre-employment screening, terms & conditions of employment, education & training, and the disciplinary process.

Legal, Risk and Compliance Representative – They represent all things GRC, including the organisations wider risk management framework, internal audit services and wider organisational legal and regulatory compliance activity.

Business Unit \ Divisional \ Service Line Representative – They represents the operational business and understands the impact of any changes day to day.

Each organisation is different in terms of governance structure, business complexity, global reach and culture. Steering Committee stakeholders should be senior enough to represent the business and support where more granular requirements and resources are required. E.g. a Group Head of HR may not be able answer Amsterdam Office Work Council questions, but can support conversations, direct and steer where necessary.

Questions your C-Suite should ask your CISO – Do we have and Information Security Steering Committee? Who sits on it / who represents my function? Are they senior enough? What governance group does the Steering Committee Report in to?