By Peter L. Higgins
Security Governance, like Corporate Governance requires the oversight of key individuals on the board of directors. In the public sector, the board of directors may come from a coalition of people from the executive, judicial and legislative branches.
In watching Richard Clarke’s testimony the other day in front of the 9/11 commission, I was struck by his ability to deliver precise salvos of devastating sound bytes. These statements of opinion may or may not be backed up by witnesses. If there is anyone who could uphold the foundational policies of Security Governance, it is Mr. Clarke. You have to admire a person who stands up for what they believe, except when those beliefs begin to erode the management system for security governance.
The basic responsibility of management, whether in government or the corporate enterprise is to protect the assets of the organization or entity. Risk and the enterprise are inseparable. Therefore, you need a robust management system approach to Security Governance.
If a corporation is to continue to survive and prosper, it must take security risks. A nation is no different. However, when the management systems do not have the correct controls in place to monitor and audit enterprise security risk management, then we are exposing precious assets to the threats that seek to undermine, damage or destroy our livelihood.
An organization’s top management must identify, assess, decide, implement, audit and supervise their strategic risks. There should be a strategic policy at the board level to focus on managing risk for security governance. The security governance policy should mirror the deeply felt emotions of the organization or nation, to its shareholders and citizens. It should be a positive and trusting culture capable of making certain that strategic adverse risks are identified, removed, minimized, controlled or transferred.
More in this series over the next few weeks.