So where does security fit into corporate governance? Security should be a major contributing factor to ensuring shareholder value and compliance with regulatory requirements.
Recent studies have reported that security functions are fragmented within most organizations. Physical security may be addressed by one component of an organization while information security is usually part of the IT organization. Few organizations have formal programs to address personnel or operations security. What would constitute an ideal model for security governance?
First, an integrated security function that unites all security functions and activities into a single entity. This will help eliminate duplication of efforts and leverage the investments being made for security. This is the best way to identify and manage the total cost of ownership for security across an enterprise. Additionally, an integrated security function provides corporate accountability for determining and implementing appropriate safeguards throughout an organization.
Second, a senior manager of security. Any efficiencies achieved through a combined security function are further enhanced by organizing security under a single senior manager who is also a member of the executive committee.
This security manager should be a member on, and possibly even chair, the organization's risk committee. As an equal partner in the corporate governance structure, security should provide input and guidance to senior management determining the operational risk of the organization.
Third, security should be made a critical corporate business driver. It must be strategically identified and broadly recognized by all senior leaders of the organization, and the corporate strategic plan should specifically include it as one of its fundamental elements. What's more, it must be continuously addressed to ensure the plan is achieved.
All successful organizations establish their definitive organizational goals and objectives on an annual basis for those specific things it needs to accomplish to grow and prosper. These goals and objectives must address relevant security issues in order to assure the safe delivery of the other organizational goals and objectives.
Next, security should be a specific component of annual performance plans. The corporate goals and objectives should be distributed throughout the organization as specific performance requirements and objectives for all levels of management and staff, as reflected by their annual performance plans. It has been said: "If you want to ensure something is done, measure it," so because security is everyone's responsibility, appropriate security goals and objectives should be part of all performance plans – starting with the president/chair and filtering to every other employee of the organization.
The next component of an ideal model for security governance is effective corporate policies and standards. Security enforcement can only be accomplished when there are appropriate policies and standards. Security policies and standards must be established for every aspect of an organization ranging from general functions to the detail levels of processes and technologies. Every employee must understand the "who, what, where, when, why, and how" of security if it is to become an integrated part of business culture.
Finally, security requirements must be extended to business partners and vendors. Most organizations function through extended relationships with many entities – such as strategic partners, vendors, consultants, or outsourced labor – so it is crucial that the organization's security requirements extend into these relationships. This must be done through policies and standards, as well as being incorporated into contractual aspects that formalize the relationships.
Most organizations have experience in doing this as part of their effort to address Y2K, but they have not continued to address the security issues that have stemmed from extended business infrastructures. An organization's security posture can only be as strong as its weakest business relationship.
Companies that need to reform their corporate governance must ensure that security is appropriately addressed and specifically included in its processes. If good management really is good security, then organizations seeking to continuously improve their corporate governance structure will establish security as a visible and equal partner in making the day-to-day decisions that affect the risks of the business.