As technology continues to become a core part of how organizations do business, alignment between business and security leaders is critical. Having a security committee is a proactive, intentional strategy that helps drive partnership, engagement and
value by creating a dedicated forum for cross-collaboration across business and security. However, without guardrails, there will always be competing priorities across these groups.
This piece provides best practices committee creators can use to build a security charter that will provide needed input into governance; risk rankings and prioritization; policies, standards and guidelines; compliance requirements; and findings.
Creating a Security Committee Charter
Establishing a security committee is a great way to encourage interdepartmental collaboration, gain buy-in and drive accountability. Because there are myriad challenges to resolve and opportunities to improve, it is important the founding member(s) of
the committee create a charter. The purpose of the charter is to define the committee’s structure, focus areas and goals to help prevent scope creep, establish boundaries and ensure all committee members work together toward the same goal.
Key components of the security committee charter include:
- Purpose: Security committees can be developed for many reasons. Defining the committee’s purpose ensures all parties are aware of the committee’s main goal.
- Scope: The scope portion of the charter outlines which areas of the business, projects or initiatives the committee will focus on supporting. Then, over time, any changes to the committee’s scope should also be defined and agreed to as the business
evolves. Many operations leaders complain they only have reactive opportunities to be involved in security initiatives. If core groups are represented in this scoping exercise, business leaders feel included and have a higher willingness to participate
and get their teams involved.
- Company values that align with the committee’s purpose: Organizations pay special care to the core values they create and encourage their staffers to consider these elements in their normal course of business. Even when not explicitly communicated,
values are an important part of defining a company’s culture and shed light on how things get done. One of the security committee’s goals should be to integrate security awareness into the company’s culture. A great way to do that is to lean on existing company values that share a similar objective to the security committee’s focus areas and purpose.
- Roles and responsibilities: Nontechnical professionals are often easily intimidated by the concept of cybersecurity because it is rapidly evolving, has serious consequences and is unfamiliar. As such, sharing how each member of the charter should contribute
and the value each perspective brings and how it enhances the security function is necessary. The members of the security committee should represent each key function/unit across the enterprise and have deep knowledge of operations, risk, strategy,
business goals and customer sentiment—both internal and external. These elements alone are of significant value to the committee (because many business units and functions have complementary structures and customers) and to security personnel,
who are likely not as close to the internal workings of each business area.
- Success measures: It is critical to ensure the security committee creates value for all parties involved, the broader enterprise and the company’s customers. Defining “success” creates a North Star for the committee to refer to when
competing priorities, uncommon challenges and differences of opinions are introduced. Success measures should be both qualitative and quantitative and can tie closely to committee scope, company values, client experience, risk reduction and/or financial
performance. Some examples include Net Promoter Scores, customer satisfaction scores, SLAs/turnaround times, incident reduction percentage, etc. Success should also be shared with the broader organization through common channels like corporate town
halls. This further propels security culture and awareness and creates a foundation for future buy-in from executives.
READ: Does Your Business Need a BISO?
Benefits of an Internal Security Committee
For security to be a business enabler, security leaders must understand the business and its functions. It is not uncommon for leaders and staffers within shared services functions like security, audit and compliance to have just a base understanding of how business units are structured.
The security committee offers a great opportunity to disrupt this reality because it creates a forum for each business unit leader or function to educate not only security, but the remaining charter members on their business structure, customer profile,
product overview, challenges and big wins. Through these discussions, other business unit leaders often identify commonalities between their organization and others. This facilitates idea sharing, collaboration, streamlining and higher participation
in security efforts, which all benefit the overall security function.
Keeping a Primary Focus on Security
There will always be a host of issues that security can help solve for the business, and the business will always have a list of things it wants the security function to improve. Many security functions get nothing done because they make the mistake of
attempting to “boil the ocean.”
A core exercise the security committee should practice is creating a list of the top five topics to focus on. The committee member who proposes each topic should present supporting data and perspective to justify the choice. Committee members should also
consider each ideal solution’s effort to implement and impact when considering items of priority. This exercise should be performed regularly, either each quarter or as items of priority are resolved by the committee.
READ: Build a Stronger Security Culture with a BISO
Tips for a Successful Security Committee Charter
Creating a security council can be a secret weapon for security leaders to solve the common challenges of relationship management and security prioritization within an organization. It creates a trusted forum of leaders with decision-making capability
and influence, enabling them to share insight into their business that may not be considered by risk and security teams. To ensure your security committee is successful:
- Tie security goals and initiatives to business goals to facilitate leader buy-in.
- Prioritize challenges that impact leaders across numerous functions/businesses to ensure committee relevance.
- Reflect often on purpose and encourage behaviors that align with company values.
Security Committee Charter Resources
The following resources might also be helpful when building a security committee charter:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.