Security governance must be enforced at all levels of an organization. But many still do not understand quite what Security Governance is, what is its main objective and how it should be integrated within existing structures in an organization. This chapter provides answers to the following questions:

Information security (IS) is currently making a serious contribution to business development by ensuring not only reliable operations but also new opportunities for qualitative differentiation. It is increasingly seen as a value creator or facilitator of operations in new business models. Its added value includes providing reliable and secure exchanges, ensuring secure data transfers, enabling remote protected access, ensuring the availability of services, and offering the possibility of outsourcing processes in a controlled and secure manner. More traditionally, it protects a company’s know-how and reputation, reduces operational risks, and ensures compliance with legal and regulatory frameworks. It is no longer considered a technical discipline that can be delegated to specialized services. Security is becoming an increasing matter of concern for top executives and is being supervised more and more at the highest level of company responsibility. This is not only required by laws and regulations but is also a reality in many companies anxious to improve cost controls and the return on their investment in protection systems. It is no longer an ancillary activity, as companies seek to optimize investments and ensure the adequacy of deployed IS measures. Management and the board of directors are additionally involved in developing IS objectives and supervising its added value to business objectives. Whether they are customers, partners, suppliers, employees, or shareholders, all stakeholders are concerned about security issues.

Executives and board members must therefore be better acquainted with IS issues so that they can fully assume their new responsibilities. If they do not have answers to the following questions or if the answer is “no”, then there is a real need to review the practices of IS governance within the organization:

If it can be shown that security plays a part in attaining strategic objectives and reducing the risks involved, then it can benefit from senior executives’ attention and take its place as a link in the value chain. Security is essential, but the question is what level of maturity is needed: in other words, how much and what level of IS are enough? Its contribution margin, and especially its cost, must therefore be measurable. However, this cannot be achieved unless the board of directors and management are involved in setting objectives and monitoring the deliverables of the security program.

Several studies have highlighted a positive evolution in management’s awareness of the importance of IS. However, it is still noted that technical means are often deployed in a disorganized manner, in successive layers, to overcome visible threats. Boards and management are not involved or are unable to understand the real issues behind IS, and thus, they delegate this task to bodies with little decision-making power and therefore, few means to act. The return on IS investments is not evaluated systematically. Priority is being given to technical solutions without making the necessary organizational adjustments. Roles and responsibilities are often not well defined, resources are lacking, decisions are not made, objectives and information architectures are not clearly established, and this results in loss of energy, increased costs, and a sense of frustration by both management and the teams responsible for deploying protective measures. This, in turn, causes misunderstanding on the part of the governing bodies, which do not have sufficient visibility regarding the adequacy of the measures and the costs related to real risks, leading to a race to find technical solutions to counter visible threats, but without any real means of control.

The following observations may characterize many companies that have neglected the importance of governance in the field of IS:

These observations lead us to believe that many companies have yet to establish real IS governance. There are many reasons behind this; our goal is not to list them but rather, to propose tools to facilitate the implementation of a governance process adapted to the realities of each company. But, first, let’s take a closer look at governance and management activities to better understand what we are talking about and why it is important.