We’ve said it many times: Security matters, and security leaders have more influence and access to boards and senior executives than ever. Thanks to external forces like ransomware attacks, evolving security and privacy legislation, and existential loss of cyber insurance dread, they get it at the top. But that doesn’t always translate into engagement or action at other levels in the organization. In fact, our research finds that security leaders cite a lack of visibility and influence within the organization as a top challenge, and 22% list improving alignment of security to business strategy goals as a top priority.
Savvy security leaders are finding new ways to drive security responsibility and engagement throughout their organizations. They’re creating security champions programs, embedding business information security officers (BISOs) in business units, and reviving a governance body once common in the early days of security as a separate function: the Information Security Steering Committee (ISSC). Forrester defines an ISSC as:
A governing body responsible for the direction and implementation of information risk management, communication, and assurance within the organization. The ISSC, most often chaired by the CISO or senior-most security leader, is tasked with delivering strategic direction, risk management, resource prioritization, performance management, and cultural leadership.
Forming an ISSC in your organization disperses key security values and messages across the company and expands security’s influence. It should be cross-functional and include professionals from core business areas and functional areas outside of IT, like employee experience, legal, and finance.
Members of the ISSC don’t have to be the senior-most members of their functions; in fact, that’s often counterproductive due to nearly constant schedule conflicts. Focus on getting senior-enough leaders or professionals who are interested, have a stake in securing data and/or IP, and are empowered to represent their functions.
Good Governance Doesn’t Happen Ad-Hoc
To bring order to your security governance body — or to revamp a currently ineffectual committee — we’ve developed an ISSC charter template you can use to formalize the purpose of the group, its operating principles, meeting cadence and management, and how the group communicates decisions across the company. Download and edit the template to best meet the needs of your organization and your goals for business engagement.
But Wait, There’s More!
When you’re done customizing the ISSC charter template, check out the other tools and templates we’ve created for Forrester Decisions Security & Risk clients, including:
- Board presentation template
- Emerging Technology Risk Assessment: Chatbots decision tool
- Identity Orchestration decision tool
- Information Security RASCI Chart template
- Information Security Steering Committee Charter template
- MITRE Evaluations Results decision tool
- Privacy Risk Assessment Tool For Data-Driven Business Projects
- Ransomware Survival Guide decision tool
- Risk appetite statement template
- Risk management policy, standard, and procedure templates
- Security operating model design template
- Supplier resilience assessment tool
- And lots of role descriptions!
We’re working on more tools and templates to help you make better cybersecurity decisions — and save you time in the process. What tools or templates would help you or your team? Reach out with your ideas or set up a guidance session with us to talk through your challenges.