What Is Board Governance Versus IT Security Governance?
Sydney Technology Solutions provides IT management and IT security consulting to help you decide the best IT security governance policies for your company in Australia.
Information security governance is a different animal than corporate/board governance. In fact, in larger organizations, several departments might have steering committees to keep their efforts in line with corporate goals and regulatory and compliance considerations.
It’s worthwhile to consider formal descriptions of board governance versus IT governance before discussing the particularities of IT security governance in Australia.
What is the Difference Between Board Governance Versus IT Security Governance?
The difference is mainly a matter of perspective.
What Is Board Governance?
Board members steer the organization from a high level and strive to make sound, legal and ethical decisions for a sustainable future. They also have a fiduciary duty to ensure that the company has adequate resources to pursue its goals.
What Is IT Security Governance?
IT governance seeks sound decisions regarding the processes, tools, and methodologies needed to align business goals to the appropriate IT services and infrastructure. IT security steering committees should include the right members to ensure the proposed projects produce a significant return on investment.
To a large extent, the board doesn’t need to be aware of security policies. Instead, the appropriate decision-makers can determine which cybersecurity issues and threats should come to the board’s attention. These may include imminent threats, data breaches and serious vulnerabilities that need to be addressed and required capital expenditures that impact profitability.
This sentiment was crystallized by Sydney Water’s Stephen Frede, an IT security manager. Frede told CIO magazine, “It’s great to have support from the board, but I challenge the assertion the board needs to be deeply involved in security…Corporate governance is an established framework built up over hundreds of years and there is a strong separation between governance and management.”
Frede added that it’s important to know about best practice guidelines such as the protective security policy framework. However, each company needs to build its own IT security governance framework.
Companies do need to take the relevant privacy laws into account when setting their IT security governance strategy.
What Are the Regulations Impacting Information Security in Australia?
Three main laws impact data privacy requirements in Australia, as follows:
- Privacy Act of 1988 (Privacy Act)
- Privacy Regulation 2013 (addenda to the 1988 Act)
- Notifiable Data Breaches Act 2017 (security breach reporting)
The 2017 changes came about in reaction to high-profile data breaches, which would certainly hit the radar of corporate board members. If this trend continues, it’s safe to say that individuals will soon have more control over their information — if Australian law continues to head in the same direction as the EU’s GDPR. This puts a greater onus on businesses to develop proactive policies for network security offense as well as reliable data recovery plans.
Where Can IT Security Governance Run Afoul of Board Decisions?
A point of contention may arise when credible threats with high-cost solutions are brought before the board. When reviews and audits bring risks to light, IT security professionals immediately want to resolve them. However, it’s not unusual for the corporate board to hold up remediation due to disruption or cost to the business.