Moving past IT compliance, IT “governance” is becoming the new area of focus in enterprises today. With compliance often being a more tactical business function, IT governance tends to operate at a higher level, especially in larger organizations. Internal audit, legal, and boards of directors tend to be more involved in this governance aspect. Maybe because it sounds more official and is thus more appealing – the “serious” part of IT. Regardless, it’s here and part of your job as a business executive.

One thing I’ve observed regarding IT governance is that it can be too high level for its own good – not unlike compliance where “all is well in IT” simply because someone said so. With web security being a smaller component of information security, and IT governance, it might not get the attention it deserves. With core business applications and processes depending on your business’s web environment, this is not something to take lightly.

The following are four ways you can help ensure web security remains in the limelight at the highest levels of your business:

1.      Understand web security

You’re not going to be able to understand its impact and communicate the value it brings to the business without first knowing the basics of web security.

2.      Hold your own people accountable

Make sure your IT, security, and development staff are providing you and your peers with the information you need to make informed decisions. As Albert Einstein has been quoted: “If you can’t explain it simply, you don’t understand it well enough.” Encourage and incentivize your staff to improve their communication skills. It’ll cost very little and changes can be made in a relatively short period of time.

3.      Get your peers involved

If other people in management see that web security is something that matters to you, you can effect change at the highest levels of the business. Speak with them directly and, just as importantly, have your team members present their messages at management and board meetings. Web security won’t be a priority for others if it’s not a priority for you.

4.      Use metrics for measuring performance

A key aspect of IT governance is measuring how well the various components are working. Web security has a lot of moving parts that can be measured including vulnerabilities found, testing progress, and incident response. If you want to manage (or govern) it, you need to be measuring it. The right metrics standards, web security tools, and well-communicated expectations must be present – things that are ultimately up to you.

Your fellow business executives, board members, and other key players all have one thing in common: they fear – and will go so far as ignoring – what they don’t understand. If you can make web security part of your ongoing IT governance program, even if it’s just a line item for now, you’ll have one of the most important aspects of security and risk in your business on the radar of those for which it matters the most. Once web security becomes integrated with your IT governance program, you’ll likely find that your web-related risk factors go down and the morale of your web security team goes up. Everyone wins!

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.