Five Essential Questions for Matrix Security Governance

Previously on Security Architect, Security Governance (Part 2): Operating the Matrix. There, I summarized what line of business security groups, Group IT ISO, and executive committees for risk, audit and compliance actually do. Based on our experience that governance issues lie at the root of many consulting engagements, let’s continue exploring this topic. 

Many organizations struggle because they’re missing crucial parts of the matrix. They experience problems with poor oversight, transparency or accountability. Aligning the matrix properly  is the first step to improvement. 

Unfortunately, its not quite that simple. Proper security matrices are necessary but not sufficient. Like automobile engines, matrices needs frequent tune ups, and oil in their moving parts.I think of security charters and policies describing authorities, responsibilities and incentives as the proper matrix design in the first place, and of “tune ups” as adjustments made with time and experience in a unique organization’s culture.

The “oil” is smooth communication:

• up the ladder through effective executive presentations,
• across security groups and committees through effective facilitation,
• down the chain through security awareness and training 

So here are the 5 essential questions you need to answer:

• Where should the CISO report in the organization?
• How should the Group IT Security function be organized?
• What are the roles and responsibilities for executive or advisory committees?
• How do we communicate to executives about risk and security?
• How can we bake security into day to day business processes?

I hope to cover each of these questions in future posts. In the meantime, let’s have some fresh thinking on how to make governance a more compelling topic among security architects and managers.

Related Reading

• Where Should the CISO Report in the Organization?