As part of our quest to highlight different pitfalls from my eBook Security Program Pitfalls and Prescription to Avoid Them, this blog post focuses on “Pitfall #3 – Management Commitment to the Security Program.”
This introduces an unnecessary level of increased risk.
Your security program must be actively supported by management throughout the organization. This is not specific to IT management or Security department management. Managers within all departments must be committed to the success of the security program and offer support in their respective areas of responsibility.
Management commitment should be demonstrated by clear direction for the security program. This includes explicit assignment of tasks and acknowledgement of security responsibilities. The establishment, as well as the continuous management, of security program controls by personnel across the organization should be formally assigned and documented.
There may not be a standard solution for all organizations, but an easy method to demonstrate commitment to your security program is to add “security” to the agenda of meetings that are already scheduled to occur on a regular basis. There is not a need for every department to hold a standalone security meeting. Instead, use a meeting structure that is already in place.
Adding “security” as a recorded agenda item to existing team or department meetings provides personnel with an opportunity to present feedback on security policies, ideas for control improvements, ideas for efficiency versus bureaucracy, and enables a broader “buy-in” for the security program throughout your organization. These agendas, along with meeting minutes, provide excellent evidence of management support.
To learn more about this pitfall, and 99 more, get my eBook: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or, register for a demo of the ASECENT Security and Compliance Portal and get a free summary of the 100 Security Program Pitfalls eBook today.