This week it’s been put to me several times that the major problem for the Security function is gaining the attention and support of Management Boards. This surprises me because contemporary corporate governance expectations generally require that all organisations should operate an effective risk management process that should identify and address all major sources of risk.
So what is going wrong? If an organisation has such a process in place – and if not, why not – then there should be a perfectly good mechanism for articulating security risks to the Board and the Audit/Risk Committee in a form that they cannot possibly ignore without breaching compliance requirements.
Of course it might be that the risks have not been adequately assessed. Perhaps they’re out of date for example? This can easily be remedied. Or maybe the risks are not significant enough to engage Board attention? So the system is working, so what’s the beef? However, I’ve also noticed that this logical response of mine doesn’t quite hit the spot. So I suspect there is a deeper problem that I’m missing. Can someone put me right?