6 Key Activities Of Your Information Security Steering Committee

In recent years, high-profile data breaches have led to corporate crises, the resignations of C-suite executives, and substantial financial, regulatory, litigation and reputational harm for companies. Cyber security has become a paramount corporate governance issue.

In operating a cyber security risk management framework, there are six key activities your Information Security Steering Committee need to undertake -

Alignment to Strategic Direction – A key part of the Information Security SteerCo is to ensuring that the information security policy that is being created and managed compatible with the strategic direction of the organisation.

Is the company growing rapidly globally through acquisition? Is the company divesting property or moving towards flexible working? Is the company divesting business units? Is the company rapidly moving to cloud or online services to provide its services?

Integration - Agreeing a policy or and an approach does not in itself impact the business in a positive cyber risk reducing way. Ensuring the integration of the information security requirements into the organisation’s processes is an important aspect of the SteerCo.

If a policy decision has been made to provide information security training to all staff. What are your completion rates? Where are the problem locations or business units? What’s being done to address the problem areas?

Resourcing – The SteerCo should ensure that the resources needed for the information security are available. These resources may not be financial, but it may also be staff time and effort to address issues.

Communications – The establishment of the SteerCo itself and regular actionable reports from it to key stakeholders (ExCo, ManCo’s, etc) communicates the importance of effective information security and of conforming to the organisations information security requirements.

Performance Measurement – Keeping on top of key risk and performance indictors ensuring that information security activities achieves its intended outcome(s). There will be another insight at a later date on key measuring and reporting the CISO needs to undertake.

Directing & Supporting Leadership & Management – The SteerCo will supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility and directing and supporting persons to contribute to the effectiveness of information security;

If a policy decision has been made to provide information security training to all staff. Which managers need the information and support to bring the problem areas back on track?

Questions your C-Suite should ask your CISO – What’s the Terms of Reference of the Information Security Steering Committee? Who sits on it? What reporting can I get from it? Hows my business areas doing?