The following is a project I conducted for a company who wanted to created a security council. The real life scenario was given to me below and I was able to to create a report to help justify and sell this need to the President of the company.
Background
The Office of the President of our company, has requested me to create a Security Council to advise the office and the cabinet of the organization on information security. While our C-level leaders will remain aware of the threats, issues, and demands of information security they will like to hand over this responsibility to a dedicated Council. The following report outlines the need and plan to create a Information Security Council.
The Need
Our organization faces many challenges with our current security program. Obtaining the needed input from all areas of the company is difficult as departments are siloed and have established cultures of their owns. Enforcing current policies are also a challenge since each department has varying knowledge of initiatives and its overall importance. This has led to parts of the organization not recognizing current policies as they should. Lastly, this lack of knowledge across our organization has made it difficult to establish new policies as we are not able to obtain enough buy-in from different members of the executive team.
Creation of Information Security Council
The creation of this council is also an effort to increase visibility and transparency within our organization. For instance, increased transparency fosters responsibility and brings positive self-control to the organization. Members of the council will be announced and well-known in their departments. This type of visibility and transparency should hopefully encourage discussion within departments and also identify which departments are far further behind than others.To combat the challenges our organization currently faces, I will be creating a Information Security Council that will span the whole organization. In an effort to create effective policies, the council will be made of a at least one senior leader from each respective department. This will not only ensure senior oversight, but also bring together a diverse range of perspectives already existing in the organization. Including senior level management in the Council is also an effort to guarantee that policies can be created, accepted and enforced across the organization in a timely fashion. Members of the organization are more likely to buy into our security program if senior leaders are able to champion it in their respective departments.
Lastly, this council will be able to promote interoperability within our organization. This will be beneficial for our organization because it will help our employees pool their skills together and ultimately make the project more successful than it might otherwise be. Department barriers will begin to break and will hopefully inspire the collaboration of departments on other initiatives in the future. This will not only help align departments to the overall strategy, but also make our organization more effective as a whole.
Responsibility of the Information Security Council
The Information Security Council will now be in charge of evaluating all security threats and issues in the organization. All issues and concerns will be handled using the strategic expertise of our council members.
The Information Security Council will be in charge of recommending, creating and enforcing new policies across the entire organization. Based on these evaluations the Council will recommend solutions to the cabinet based on best practices. New policies will span from high level down to micro operating policies such as the devices used in the organization. It is important to note the the council will only be creating and enforcing policies that affect the entire organization, not just one department. Department specific policies will be handled by senior managers of those specific departments.
Members of the council will be in charge of sharing all relevant information with their departments. This includes helping members of their department understand certain policies and why they are important. Members of the council will be responsible for setting up these trainings. Conversely, members of the council will be in charge of sharing opinions and concerns from their respective departments. As well, the council will serve to settle disputes and mediate conversations between members.
Conclusion
The Information Security Council will be created to ensure that Information Security is treated by the organization as a business issue and not a IT issue. It will be set in place to provide security governance by spanning the whole organization. Its primary responsibility will be to advise the office and the cabinet of the organization on information security. The Security Council will be authorized to take the lead in creating and enforcing new policies across the entire organization and will be in charge of evaluating all security threats and issues. It will also be able to settle dispute peacefully and recommend solutions.