Looking for a way to boost your information security program’s effectiveness? Do you find yourself constantly answering the same questions? Do you feel like your institution operates in a bunch of different silos and no one really gets the big picture?
The answer may be beginning or rethinking your approach to your program’s governance! Here are five things to consider in making sure your institution gets the gist of governance:
- Bring in the buy-in: Before starting or substantially changing your approach, you MUST have buy-in from senior management. A beneficial way to do this is to meet with each member of senior governance individually. Discuss the benefits of your proposal for their area and the overall institution. Be upfront with any expectations you have of their area. Ask their concerns about the changes, take notes and follow up on them so that they know you are taking it seriously. Draft a charter and have it handy. This is an important step because when they are bought in, the rest of the organization will follow!
- Break down the silos: It’s not uncommon for some areas within institutions to operate in a silo. This means that there is little communication and collaboration outside their area of the institution. Operating in silos leads to undiscovered risks, missed opportunities, increased costs and operational risks because relevant information is not passed on, problems remain unresolved and sometimes there is redundant work, systems or processes in place. Asking for participation from these areas will provide an opportunity to involve them in helping the institution uncover and mitigate these risks.
- Bring something to the table: Asking for everyone to participate not only makes your workload with the committee more manageable but creates a sense of ownership in the committee members. They could participate in activities such as:
- Serving as a contact for their area to answer questions about new processes, procedures and initiatives,
- Gathering information and or feedback from their area,
- Completing risk assessments, business impact analysis, etc.
- Weighing in on timing and priorities for the year,
- Reviewing policies and goals to brainstorm risks.
- Be respectful of their time: Time is precious for everyone, so help them prepare by:
- Sending agendas in advance of the meeting so that they can engage others, if necessary, and have their thoughts organized in advance.
- Covering the main points but not every detail. Don’t read the presentation or materials to them.
- Being explicit about how this can impact or benefit them and how they fit into the big picture.
- Be prepared to keep records: The old adage goes, “If it isn’t documented it isn’t done.” Auditors and examiners are going to ask for these, but there are also more practical reasons for this. Any easy objection when asking for participation or introducing a change is “you didn’t tell me about this.” Minutes are your best friend in moments like these! Minutes should include who attended, the materials presented, questions asked, discussions and vote results. These can be shared with senior management and the board to keep them in the loop as well.
Ultimately, any initiative will be more successful with the support and buy-in across the institution. Also, no one can anticipate all the impacts of new policies, processes and systems or have all the answers to problems, so don’t put yourself in the position to go these alone.
If you need help with your program’s governance, please feel free to reach out to us for more information! Shoot us an email at support@bedelsecurity.com or give us a call at 833-297-7681
Or to get started organizing your tasks grab a copy of our ISP Tasklist Template here!