When people think about what factors are most influential in determining the effectiveness of an information security system, typically the first items that come to mind are technologies, policies, and controls. Often overlooked is one of, if not the most critical components of the system – its leadership. Of course secure tech and methods are vital components of the system too, but their effectiveness can be rendered null if leadership is unable to establish, enforce, maintain, and overall direct their usage.
Effective leadership, however, is a challenge in and of itself; it’s not as simple as hiring a competent c-suite. As talented as a CISO or CPO might be, no one person can be expected to fully understand the culture, processes, and concerns of every individual department of an organization. Imagine if a president was required to understand first-hand all those factors for each government department before making a decision – by the time they could even get close to a full understanding their information on older departments would become outdated and they’d probably be past their term limit anyway; no decision could ever be made. The problem is that those aforementioned factors are instrumental in determining the true effectiveness of these decisions, and thus cannot be ignored in strong leadership. So, barring omniscience on the CISO/CPOs’ end, upper leadership is going to need advice and influence from department representatives, and that’s where the Information Risk Council comes in.
Now if the term Information Risk Council (or IRC, for short) is unfamiliar, there’s no need to worry. The group often goes by different names at different organizations: Department GRC Committee, Risk Management Council, Risk Governance Committee, and likewise are all names you might encounter instead. What is crucial is not the name but the concept behind it, which is defined in the group’s composition and concerns. In essence the IRC (or its alternate names) is a group of senior infosec leadership and department representatives that focuses on composing, ratifying, and implementing security policies, controls, and initiatives throughout the organization. To better understand the council’s purpose, however, it’s best to go into some detail on the composition and concerns themselves.
- Composition: The major benefit of the IRC lies in granting the executive security/privacy owners in the company a deeper understanding and a wider perspective of the company’s state and needs, and by grouping in representatives (or heads) of every department, that purpose can be fulfilled. Department representatives should be able to collect and report on their specific department’s state and needs and thus provide valuable insight when decisions are made, affecting, or informed by that department.
- Concerns: With a general objective in place to provide a cross-departmental informed direction for the information security program, the IRC often takes on a number of duties/tasks in its operation. As a standard these tasks generally include quarterly meetings to discuss the state/direction of the program, a designated policy/assessment review and approval procedure, risk management discussions and reports, and incident handling/response. Of course additional roles may come into play as the organization’s needs change, but these basic responsibilities will cover the base needs of most effective IRC initiatives and do so more decisively than a CPO/CISO could by taking those same tasks on alone.
Altogether, taking the two fundamental considerations above as frameworks makes a strong starting point for an efficacious IRC. The benefits a team like that can bring to an infosec program often impresses clients who implement them as they’re usually multifaceted. Not only does the improved perspective help with the direction of change, but it also typically makes departments feel heard and more accepting of said change, which can encourage new policies to be acted upon in practice rather than just in writing. No need to just read up on the benefits though- try forming a team at your organization and see for yourself. In almost every implementation the barrier of entry is low and the opportunity for improvement is high.
Could your business use help implementing an IRC? Or could you use some assistance directing and refining an existing team? Either way, CyberData Pros have assisted many committees from inception to maturity and can walk your organization’s to that same state. Contact us now for a free consultation and to learn more about our services.