According to the 2015 Information Security Breaches Survey conducted by PWC for the UK Government, 28% of the worst security breaches were caused partly by senior management giving insufficient priority on security, and 21% of organisations had not briefed their Board on security risks in a year. Yet the number of organisational security breaches was continually increasing, and their scale and cost had doubled.
In your role as a security manager, or as a manager with responsibility for security matters, you should aim to identify the answers to a number of key questions about the governance arrangements your organisation has (or may not have) in place for security risk:
- Who owns security risk at Board level? Is security a standing item on the Board’s agenda?
- Are there clear reporting lines for security responsibilities, for example cascaded down from senior executives and properly connected up at all levels?
- Establish whether responsibilities for physical, personnel and cyber security are allocated separately, and if so whether there are clear and regular links between the individuals concerned.
- Are there regular reviews of security policies and procedures and who is responsible for these? What about overarching review of the security function – is this conducted and how often, and how are the findings taken forward?
- Are there communication links in place from security managers up to senior executive level? If so, are they effective? If not, how might they be developed?
Guidance to help you address these questions is available via the links below:
- 10 Steps to Cyber Security - questions for CEOs and Boards to support strategic-level discussions on protecting company information assets and managing cyber risk
- Holistic Management of Employee Risk (HoMER) - pragmatic guidance and framework of measures, including the role of corporate governance in managing people risk