Chapter 12: Information Security Governance – Selling Information Security to the Board


This is a much harder sell but, if the board can be brought to understand that it has a governance responsibility in respect of information security, you will have made the task of selling future information security investment proposals that much easier for yourself.

Here’s the argument:

The availability, integrity and confidentiality of its data are fundamental to the long-term survival of any 21st century organisation. Unless the organisation takes a top-down, comprehensive and systematic approach to protecting its information, it will be vulnerable to a wide range of threats, including cyber crime and cyber terrorism, data leakage and insider attacks. These threats are a ‘clear and present danger’ to organisations of all sizes and in all sectors; responsibility for information risk management, for ensuring that the organisation appropriately defends its information assets, can no longer be abdicated or palmed off on a head of IT or CISO. The board has to take action. It’s a part – and a very key part – of the board’s governance responsibility.

Information security is a board responsibility

Information security is a governance issue, not merely an IT department functional responsibility. In an environment where it is not commercially sensible to invest in providing security against every possible risk, nor where 100% security is affordably achievable, there are five reasons for this:

  • The board has to lay down guidelines as to which of the organisation’s information assets are to be protected and the level to which this must be done.
  • Only the board can effectively prioritise, and lay down guidelines for, investment in information security.
  • Information security is a ‘whole business’ exercise; effective information security requires a set of controls that integrate technology, procedure and human user behaviour in such a way that the board’s security objectives are achieved. Only the board can set out the objectives and requirements for such a cross-organisational management system.
  • The whole organisation is at risk in the event of a significant information security breach; the board is directly accountable for the corporate reputation, corporate earnings and corporate survival and the board must, therefore, ensure that appropriate arrangements are made to protect the organisation from information risk.
  • It is the board’s direct responsibility to ensure that the organisation complies with the various laws of the jurisdictions in which it trades. The growing body of information-related legislation is such that the board now has to be proactive in mandating the implementation of a recognised information security management system that will ensure compliance.

Governance and risk management

The board’s job is governance and strategy and, therefore, governing strategic and operational risk is a fundamental board responsibility. There are three operational risks (the best definition of operational risk is still ‘the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events’9) related to information and communications technology that boards need to consider:

  • Loss of proprietary information, with resultant damage to earning power and competitive position.
  • Loss of customer and personal data, with resultant damage to commercial and directors’ personal reputations, as well as regulatory action, financial and punitive loss, and possible jail time for directors.
  • Business continuity disruptions, with resulting damage to commercial reputation and actual trading capability.

The board has to prioritise the risks that are to be defended against, in the light of the organisation’s information assets, its business model and its overall business strategy. It has to ensure that appropriate resources are committed to realising and maintaining the risk profile that it has mandated.

Corporate governance codes

Corporate governance codes throughout the world recognise that the management of operational risk is a core board responsibility.

The UK’s Corporate Governance Code requires listed companies to annually review their risk management and internal control systems, covering ‘all material controls, including financial, operational and compliance controls’.10 The Turnbull Guidance explicitly requires boards, on an ongoing basis, to identify, assess and deal with significant risks in all areas, including in information and communications processes.11 Sarbanes Oxley requires US listed companies (and, increasingly, there is a knock- through effect onto their major suppliers) to annually assess the effectiveness of their internal controls, and places a number of other significant governance burdens on executive officers, including the section 409 requirement that companies notify the SEC ‘on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the issuer’. Pillar 1 of the Basel 2 Accord aimed to reduce financial institutional ‘exposures to the risk of losses caused by failures in systems, processes, or staff or that are caused by external events’.12 While the 2008–2010 financial crisis was caused by a significant failure of regulatory oversight, the ambition to counter operational risk is undiminished.

Risk assessment has, over the last few years, become a pervasive and invasive concept: a risk assessment must be structured and formal, and nowadays one is expected in almost every context – from a school outing through to a major corporate acquisition. It is certainly a cornerstone of today’s corporate governance regimes. In the context of operational risk, a risk assessment is the first step that a board can take to controlling its risks; the most important next step is the development of a risk treatment plan (in which risks are accepted, controlled, eliminated or contracted out) that is appropriate in the context of the company’s strategic objectives.

Information risk

If no one else wanted an information asset, it wouldn’t be an asset. Information, to be useful to an organisation, must be available (to those who need to use it), confidential (so that competitors can’t steal a march) and its integrity must be guaranteed (so that it can be relied upon). Information risk arises from the threats – originating both externally and internally – to the availability, confidentiality and integrity of the organisation’s information assets.

Threats to information security are wide-ranging, complex and costly. External threats include casual criminals (virus writers, hackers), organised crime (virus writers, hackers, spammers, fraudsters, espionage, ex-employees) and terrorists (including anarchists). More information security incidents (involving members of staff, contractors and consultants acting either maliciously or carelessly) originate inside the organisation than outside it. Baring, Enron, WorldCom and Arthur Andersen were all brought down by insiders. The HMRC debacle was an insider problem. The indirect costs of these incidents usually far exceed their direct ones and the reputational impacts are usually even greater.

The need for determined action to deal with these risks should be self-evident.

Governance challenges

The governance challenge, though, is clear. A 2014 Ernst & Young survey13 found that only 14% of information security functions report to the CEO, and that only 5% of organisations have a dedicated threat intelligence team to identify real threats facing the organisation. Ernst & Young summed it up:

Cyber risks are growing and are changing rapidly. Every day, cyber criminals are working on new techniques for getting through the security of organizations, including yours. They are doing this so that they can cause damage, access sensitive data and steal intellectual property. Every day, their attacks become more sophisticated and harder to defeat.

Because of this ongoing development, we cannot tell exactly what kind of threats will emerge next year, in five years’ time, or in 10 years’ time. We can only say that these threats will be even more dangerous than those of today. We can also be certain that as old sources of cyber threat fade, new sources will emerge to take their place.

Although we will await the 2024 survey results for some time, anecdotal evidence doesn’t suggest that much will have changed. In today’s corporate governance environment, boards that take their information security governance responsibilities seriously are likely to be those that outperform; if the majority of organisations continue to shirk their information governance responsibilities, their bottom lines will be impacted and the earning power of their executives will be diminished.

IT governance

Of course, effective information security governance is a subset of IT governance. Organisations that adopt an IT governance framework (following for instance, the international standard ISO/IEC 3850014) are far more likely to be organisations in which boards recognise their accountability for information security, and take appropriate action.

A logical approach, therefore, is that information security practitioners work to develop an overall board approach to IT governance15, on the basis that this will ultimately help them achieve an effective information security governance environment.

9 Operational Risk, a consultative document from the Basel Committee on Banking Supervision in January 2001.

10 Corporate Governance Code on Risk Management and Internal Control, Section C.2.3.

11 Turnbull Guidance, paragraph 20.

12 BIS Press Release, 26 June 2004.

13 Ernst & Young’s 17th Global Information Security Survey, which in 2014 interviewed more than 1,800 executives across 60 countries.

14 See Pocket Guide: ISO/IEC 38500, Alan Calder, ITGP (2008).

15 For detailed guidance on implementing an IT governance framework, see IT Governance: Implementing Frameworks and Standards for the Corporate Governance of IT, Alan Calder, ITGP (2009).