For organizations moving to reduce information security risk, an effective information security management committee (ISMC) is essential to drive security strategy, eliminate redundant security effort and spending, get a grip on complex infrastructure issues and create a stronger security culture.
In this post, I’ll offer five tips to help make your ISMC more successful.
Tip 1: Make the committee as big as it needs to be.
Committees vary in size and makeup across organizations. I’ve seen them as big as twelve people and as small as two.
As a general rule, I suggest bringing not just IT people but also finance/accounting, HR, operations and possibly legal, internal audit and other disciplines to the table. The more diverse your stakeholder representation, the better feedback and input you’ll get, and the easier it will be to integrate information security into lines of business.
Some businesses want to keep their ISMC confined to IT. I hear things like “We don’t want to bother them… they don’t have the bandwidth…” But most of the time it’s really about controlling the scope and strategy of the evolving InfoSec program.
It’s okay to start with an all-IT core committee for something like defining the initial scope of an ISO 27001 certification effort. But that should be temporary. To holistically address risk, your information security program can’t live within just one division.
For example, most likely your marketing team is dealing with data privacy challenges around GDPR or CCPA that you can be helped through the ISMC. Bringing in your VP/Director of Marketing as a stakeholder in the ISMC is mutually beneficial.
Tip 2: Meet at least quarterly.
To review and address the various aspects of your InfoSec program, the ISMC will need to meet at least quarterly. For example, risk assessments and risk treatment plans require quarterly review to maintain an ISO 27001 certification.
Another reason to meet quarterly is the ISMC provides key input to the C-level board, which will be looking to ensure the vision and objectives of your program are on track and align with the company’s direction.
You’ll also need to review various metrics on a quarterly basis (others can be reviewed semiannually or annually). InfoSec policy and procedure review can usually be done annually, ideally at the same time each year.
Tip 3: Spread responsibilities around the committee.
For resiliency if not sanity, it makes sense to distribute core responsibilities across your ISMC. That way if a key committee member leaves the organization, all the knowledge regarding your information security management system (ISMS) or program doesn’t leave with them.
Whatever the size of your committee, you always want to establish a chair or lead. Often this is the CIO, CISO, IT director, etc. This person shouldn’t be responsible for completing every task but should be responsible for facilitating the meeting and for presenting key findings to senior management.
Tip 4: ISMC members need to be engaged.
How do you know if your ISMC members are engaged? They’re looking to make positive changes, they’re relaying quality input from their area of the business and they’re identifying context/scope issues. Members that are less motivated may just be “phoning it in” and may see the ISMC as merely a route to a certification or whatever. Don’t let this view predominate on your committee.
Tip 5: Communication is number one.
The number one success factor for an ISMC is communication. You need to ensure what you outline as critical to accomplish for your InfoSec program is understood and is being accomplished; that is, setting goals and hitting them.
Having a strategy for communicating with the rest of the company can help drive buy-in on initiatives and supports a security culture. One best-practice communication strategy is a quarterly newsletter. This helps keep security top-of-mind and helps reduce risk by keeping employees aware of new threats like new phishing attempts.
At the end of the day, an effective ISMC doesn’t make an organization secure—it just gives you an important tool to help you improve security and reduce risk.
Is your business ready to take its information security posture to the next level, and/or to pursue alignment with ISO 27001 or a similar framework current? To talk over your goals and strategize next steps, contact Pivot Point Security.