Question

The governance of information security is a strategic planning responsibility whose importance has grown in recent years. Discuss ways senior leaders and executives can ensure the proper governance of information security.

Answer 1

In this modern world, where the whole world depends on the technology where technology again just depends on the information, it would be a devastating saying that “We don’t need any information security.”

As everybody in this modern world knows how and why the information and data are important, as this modern world moves on with the information and that’s why it is so important to secure that information.

In an organisation, it is the role of senior leaders and their executives to set the information security culture spectrum so as to mitigate any information breach in the organisation.

There are some ways using which senior leaders and their executives can ensure the proper governance of information security.

• Senior leaders should encourage the cybersecurity policies and practices in their organisation by designing top-down strategies to handle and manage the cyber risks across the enterprise.

• Senior leaders and their executives should first understand what the risks can be in their enterprise and after going through the risks in detail, they should understand the threats they may face and then should inform a risk management strategy with the knowledge of which assets that require the most protection.

• Leaders must understand that information security is not something that will grows itself organically. They should understand that organisation’s information security is a culture that requires care and feeding. They should invest in security culture and should make a sustainable security culture.

• They should organise various stress tests with simulated cyber attacks that should be designed in a way to so as to do the risk management. These tests should be able to answer the questions “Can they withstand the failure and if not, then what should be the measure”

• The higher authorities of the organisation should invest in information security or any cyber awareness training of the enterprise people. As most of the information theft exploits the human factor. So investing in and building only technical safeguards will not incorporate 100% security, rather training the workforce for security will definitely increase the ability of organisation to adapt and to tackle any information theft or other threats.

• One person cannot handle the information security at all. The leaders should build a security community in the enterprise as it is the spine of a sustainable security culture. The security build must be divided among different security interest levels within the enterprise like dividing it among advocates, sponsors, security aware. That community should provide the connection between different peoples at different levels across the organisation.

• The leaders must understand that information risks can only be mitigated and cannot be eliminated from the organisation. So the leaders should focus on increasing the resilience powers of their organisations like by strengthening the company’s security posture.