The Myth of Security Governance

Security governance has become a hot term within the IT industry as people awaken to security threats presented by the internet. Yet the meaning of this term varies depending on whom one talks to, which often leads to confusion.

One meaning pertains to the application, maintenance, and continued risk evaluation of people’s access to information within an organization. This is about answering “who has access to what, why do they have it, and what have they done with it?,” which is a component of a compliance programs for regulations like SoX, HIPAA, and PCI.

In this context, governance is about enforcing accounting-style rules within IT environments to ensure proper data access. At a higher level it helps ensure legitimate system use. This is a useful and necessary process so information consumers stay on the straight and narrow. It is also how the IT industry most vocally discusses security, especially with regulated businesses.

However, it is a mistake to believe these processes, and regulatory compliance overall, is sufficient to ensure system security. There are numerous examples of regulation-compliant organizations that have fallen victim to massive hacks, clearing demonstrating this point.

I believe it’s more useful to regard security governance as an approach, structure, and rules for stewardship. Effective governance should protect an IT environment from unexpected behavior, be it human or technological, with the goal of protecting the organization using this technology.

It’s useful to think of this stewardship-style of governance like parenthood. A good mother or father wants to know how their child is behaving and who they’re spending time with. Rules are set to keep this behavior within acceptable boundaries. Hopefully these rules will be backed by teaching of good values so the child is motivated to good behavior and not to hurt others for personal gain.  They should be effective at detecting, responding to, and hopefully preventing undesired behavior but not so onerous that they prompt rebellion or crush the child’s life.

I’ve found that the most effective organizations take a similar approach to IT security. They understand their business goals, how they’re IT supports them, the risks presented to the IT environment, and then match their security governance program to protect against those risks. This motivates people’s “good behavior” while discouraging any desire for harm. Effective organizations also take advantage of IT security to drive top-line revenue and lower bottom-line cost, even as the IT environment is well protected.

Security governance as regulatory compliance – the approach software companies and consultants find easiest to sell – helps with some aspects of data protection. Security governance as stewardship enables the organization, even as it’s protected. It takes additional effort, not least in aligning the organization to these goals and in finding people with the right perspective to assist. I’ve found it’s always worth the effort though.

You may enjoy the wonderful article at about the challenge of getting people to take security seriously.

In the end, it falls to each organization to determine the results they’d like and the approach they’d like to take.