The Link Between Information Security and Corporate Governance

The critical infrastructure that enables global commerce and our nation's physical security is only as strong as the information security that supports today's networked environment. While enormous strides have been made, there is no single technological bullet to solve the problems we face.

Information security, though often viewed as a set of technical issues, must be embraced as a corporate governance responsibility that involves risk management, reporting controls, testing and training, and executive accountability. As such, it requires the active engagement of all CEOs and boards of directors.

To this end, the Corporate Governance Task Force for the National Cyber Security Partnership was established last December to develop and promote a coherent management framework and to drive implementation of effective information security programs across all industries, organizations and educational institutions. Earlier this month, the task force unveiled its initial report, "Information Security Governance: A Call to Action," which was crafted through an unprecedented level of consensus and resource sharing among member experts from academia, government and industry.

Corporate governance consists of the set of policies and internal controls by which organizations, irrespective of size or form, are directed and managed. The task force report provides a subset of governance policies and controls that include identifying cybersecurity roles and responsibilities within executive management structures, establishing risk management and quality assurance benchmarks, creating institutionalized testing and training, and outlining best practices and industry metrics. In addition, flexible assessment tools were developed to bring accountability to three key elements of corporate governance: people, process and technology.

By using the information security governance framework, CEOs and boards of directors will create a safer business community internally and for their customers and others interconnected throughout the critical infrastructure. In aggregate, such measures serve as an executive call to action that will also help better protect our nation's security.

As consumers, investors, partners and citizens have become increasingly concerned about the integrity of the information and IT systems used by public and private enterprises, state and federal policy-makers have taken notice by passing several laws and regulations with direct implications concerning everything from network security to financial reporting. For example, the attestations signed by CEOs declare that the "internal controls" in place to comply with the Sarbanes-Oxley Act carry criminal penalties, and legislators in California have established regulatory regimes that determine how companies must structure their networks and secure consumer information if they want to avoid severe civil penalties and potential class-action litigation. Unless progress is made, policy-makers have advised that industry can bet on even more regulation. Clearly, this is not the preferred option.

Enterprises must also honestly address the full universe of security threats, both external and internal. Much of the public scrutiny surrounding information security to date has been fixed on external attacks such as viruses, incidents of hacking or cyberterrorism. Today, the vast majority of breaches, and often the most costly, are those that occur within an organization's internal network. Taking into account the ever-increasing amount of network integration with customers and partners and the use of outside contractors, such threats may continue to proliferate unless strong information security frameworks are implemented throughout company management chains.

Information security governance will provide organizations far greater benefits than just legal or regulatory compliance. Robust security serves as a catalyst to even greater productivity gains and cost efficiencies for businesses, customers, citizens and governments during times of crisis and normal operations.

Integration of information security must become a core management and governance function. And like quality, information security must be embraced as a journey requiring continuous improvement over time, with CEOs and boards of directors responsible for implementation and vigilance. Only in that way will we reap the potential economic and homeland security benefits enabled by the digital world.

Orson Swindle is a commissioner of the Federal Trade Commission. Bill Conner serves as co-chair of the Corporate Governance Task Force for the National Cyber Security Partnership, a voluntary public/private initiative whose members include academicians, senior government officials and a cross-section of industry experts. Conner also serves as chairman, CEO and president of Entrust Inc., a leading Internet security provider to large companies and governments. A full copy of the task force's report can be found at www.cyberpartnership.org.

Copyright © 2004 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon