Corporate governance is a term that refers broadly to the rules, processes, or laws by which businesses are operated, regulated, and controlled. By mandate all Zimbabwean companies should practice good cooperate governance whether they are listed on the Zimbabwe Stock Exchange (ZSE) or not.
However, most senior executives and board members in Zimbabwe seem to give a blind eye to a critical facet of corporate governance: Information security governance. In most of the countries worldwide senior management and the board are held responsible for any security breaches to the organisation’s data or IT systems.
Before I get into detail of defining information security governance let me give some background information to validate the above assertion. I was at one point surveyor for the Global Information Security Survey for Middle East and Africa (MEA), and I had the opportunity to sit and discuss/survey information security governance and other security issues with senior executives from organisations across many sectors.
From the survey I learnt that the governance of information security is still in its infancy in Zimbabwe and in some cases it does not even exist. This pandemic is also common in most of the SADC countries. South Africa though has made positive strides in this area by imposing stringent compliance regulations i.e. The Electronic Communications and Transactions Act 25, Protection of personal Information Bill, King 3, SA National Cyber Security Policy which list the legal obligations and liability for non compliance.
As it stands we do not have anything of this nature in Zimbabwe that covers all industry sectors. This lack of proper governance and legislation for cyber security is delaying the diversity or investment in infosec in most African countries e.g.
“We need to have proper framework for this thing; another problem is cyber security. We don’t have a law to crack down cyber criminals, if you commit any ICT crime, it is not enforceable in the Nigerian court because we don’t have the legal backing yet.” An except from Absence of Cyber Crime Law, Threat to ICT Investment” – Nitda (Nigeria)
Info Sec Governance
Information and IT Systems have become the life blood of any modern-day business. Companies succeed or falter based on the reliability, availability, and security of their information. But are most companies properly governing how their information is used, shared, and analysed?
Information security governance is the system by which an organisation directs and controls Information security. It also describes the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk. In simplest terms, it’s a subset of the (even more grandiose sounding) discipline of corporate governance, focused, unsurprisingly on IS Security.
Senior leadership’s fundamental commitment to information security is the most important aspect of effectively managing the security risk to an organisation’s information assets also referred to as leadership duty of care or due care.
To be successful enterprise security governance activities must be driven by the board of directors, senior management and designated key personnel. These activities should be undertaken in a manner consistent with an organisation’s risk management and strategic plans, compliance requirements, organisational structure, culture, and management policies.
A key aspect of security governance is the need to define decision rights and accountability. Achieving this both in theory (the organisation is clearly defined) and practice (everyone knows what to do and how) requires the right culture, policy frameworks, internal controls and defined practices.
The complexity and criticality of information security and its governance demand that it be elevated to the highest organisational levels. As a critical resource, information must be treated like any other asset essential to the survival and success of the organisation.
From here to there
There is a need for organisations to start focusing on proper security governance. For a start organisation such as the Zimbabwe Stock Exchange, the Government, the Computer Society of Zimbabwe, Zim Law Society, POTRAZ, ICAZ, IIAZ, Zimbabwe Institute of Management and other industry governing bodies should put their heads together and define the appropriate legislations that mandates information security governance either by referring to existing international frameworks (PCI-DSS, SOX, COSO,ITIL,SABSA, Cobit FIPS, NIST, ISO 27002/5, CMM, ITG Governance Framework etc) or by consulting local information security and business professionals to come up with an information security governance framework. Senior Management/executives may get good exposure if they attend seminars such as the MIS Information Security Africa Summit or other related seminars:
Good corporate governance coupled with good security governance has at least the following characteristics:
- It is treated as and organisation wide issue and leaders are accountable
- Leads to viable Governance , Risk and Compliance(GRC) Milestones
- It is risk-based and focuses on all aspects of security
- Proper frameworks and programs have been implemented
- It is not treated as a cost but a way of doing business
- Roles, responsibilities and segregation of duties are defined
- It is addressed and enforced by policy
- Adequate resources are committed and Staff are aware and trained
- It is planned, managed, measurable and measured
- It is reviewed and audited
The turn around
As the Zimbabwean economy is slowly sprouting, the art of security should also take a leap across all industry sectors. Its adoption will ensure security will become a part of any organisation and thus investor confidence will be boosted.
With time as information security grows organically, the following benefits of good information security governance may be noted:
- The Board of directors taking full responsibility for Information security initiatives
- Strategic alignment of information security with institutional objectives
- Risk management – identify, manage, and mitigate risks
- Performance measurement – defining, reporting, and using information security governance metrics
- Value delivery by optimising information security investment and security project delivery
- Effective protection and security of information assets
- Compliances with local and international regulations will be easier
- Improved resource management, optimising knowledge, infoSec and IT infrastructure
- Increased customer confidence
We would love to know your thoughts. Is information security governance a metaphor for bureaucracy and inaction in your organisation, or have you found it to be a positive force in aligning your efforts to the needs of the business?