Failing to fully understand risk is a breakdown in governance.  In the TSA example, a continual analysis and feedback system focused on risks could have alerted the TSA to the new and growing threat facing passengers.  Successful security structures include governance and large and small security organizations must proactively pursue a comprehensive governance process that fits business needs and corporate culture.

The importance of a business-aligned, feedback-based governance system cannot be understated; without the balance these elements offer, technology may become the single focus for protecting the organization (see diagram – Governance).  Consider if you will the implication of a security focused perimeter defense strategy, an overwhelming urge to protect all data at the endpoint could lead to high system loads and drive users to ‘benevolently hack’ their way around under-performing systems to accomplish their goals.  Despite its importance, many organizations do not have a governance system in place, or they fail to measure the effectiveness of the governance process.  Consider these questions to help you measure governance effectiveness in your organization:

Do you know where your data is? In the PriceWaterHouseCoopers survey, six out of ten respondents (60%) reported that their organization did not have an accurate inventory of locations or jurisdictions where personal data for employees and customers was collected, transmitted, and stored.  (PriceWaterHouseCoopers, 2009)  Working with business and technology peers and leaders, risks to data can be analyzed and mitigated.

Are you examining new business technologies? In 2009, only four out of every ten respondents (40%) in the PriceWaterHouseCoopers survey reported that their organization had security technologies that supported Web 2.0 exchanges, such as social networks, blogs, and wikis (PriceWaterHouseCoopers, 2009).  Partnering with business and technology leaders (those responsible for procuring business technology) security organizations can take a pro-active approach to risk analysis and mitigation.

Do you have an annual plan that lists business initiatives with supporting security initiatives and technologies? This question is often one of the most difficult to answer, as security planning is still relatively new.  Security, mostly seen as a technology province, has often been left out of planning discussions.  Security leaders must take a more active interest in collaboration, seeking to understand business and technology plans in order to design and deploy, efficient security systems and measures that work with new technologies, products, and services.

Andrea Matwyshyn, author of Harboring Data: Information Security, Law, and the Corporation perhaps summarized the need for governance in a recent interview with Knowledge@Wharton

“There’s a broader lack of planning in many enterprises. In their defense, this field is relatively new.  However, the downside of not securing information assets is so severe that it’s important that companies start to focus on process-based, top-down initiatives to incorporate information security at every level of their enterprise. Really the neglect is reaching the point that … an argument could be made that the lack of planning that’s prevalent in U.S. companies may give rise to cause a breach of fiduciary duty. That’s serious. We’ve reached a turning point. This is when it really needs to be addressed aggressively in a process-based approach throughout enterprises.”  (Knowledge@Wharton, 2009)