Strategic Thinking

One way that Governance professionals are able to influence is by helping align business strategy with an operational security strategy. Maybe the best opportunity to do this is through an information security steering committee.

Most security best practice handbooks will describe information security steering committees as vital to demonstrating that the organization is invested in security and aligning security with business goals. It is. However, many large organizations will have a structured process in place for engaging security with less frequent meetings dedicated to the topic of security. For companies that do maintain information security steering committees, they act as a platform for the free flow of information and ideas between the business and security. In this way, security can be informed of any new business objectives or changes to the business, and the business can be kept up-to-date about security initiatives that may require business stakeholder input, like risk management, for example.

The idea is to keep a free flow of information between the business and security to:

• Align goals
• Allow the business to provide a certain level of security oversight
• Work with the business to set and approve policy; and
• Keep senior leadership informed of new security risks or security challenges

Because of the level of information sharing that occurs during steering committee meetings, it’s also important to have the right level of participation. Typically, steering committee members should be in a position to broadly influence and be strategic thinkers.