In both large and small businesses, I can't tell you how many times I see IT running the information security show. It can't be that way. It never works, and it never will.
Security impacts every aspect of the business, so you've got to be willing to give up the reins.
You absolutely have to have the right people working together. To do that, you need to form an IT security committee to push things along.
Comedian Fred Allen defined a committee as "a group of people who individually can do nothing, but as a group decide that nothing can be done." I've certainly seen -- and served on -- my share of such committees, and I'm sure you have, too. You don't want your IT security committee to be another of those groups that can't make things happen.
So what makes for a good security committee? It should be small, and it should have sharp decision makers. But who exactly should serve on such a committee? It's probably not who you'd think. Outside of IT, a solid security committee will likely include representatives from the human resources, legal, operations and marketing teams as well as from executive management.
Arguably the most important thing about a functional IT security committee is that it must have a good leader. That may not be someone from IT. It could be someone in legal or HR or finance. Security impacts every aspect of the business, so you've got to be willing to give up the reins.
Questions and answers on IT security, committees
What is information security governance?
How do I begin corporate security awareness training for executives?
What are the best practices for an information security steering committee?
Obviously there's a strong IT component to security -- you couldn't have security without it. But security is more about the business. The goals, the strategies, the day-to-day operations are all wrapped into the security effort.
Even if you're not the one in charge, you can still lead a charge for a functional security committee. It can no doubt put you in good favor with your peers, management and others you've likely never met before.
A simple way to get started is by pulling together a small meeting of the right people, explaining what you're trying to do and talking about what needs to be done for the sake of the organization's well-being. Then, see what happens. If the committee is visible enough, and if management sees the value, it'll most certainly take off.
Remember though, in the interest of everyone's sanity, don't meet for the sake of meeting. Focus on results -- getting things done. That's the only way you're going to be able to keep an information security effort alive.
About the author
Kevin Beaver has worked for himself for over 10 years as an information security consultant, expert witness and professional speaker with Atlanta-based Principle Logic. With over 23 years of experience in the industry, Kevin specializes in performing independent security assessments around information risk management. He has authored/ or co-authored 10 books on information security, including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. Follow him on Twitter at @kevinbeaver.
This was first published in December 2012