ABSTRACT
So what does this have to do with information security governance? Plenty. Let’s think for a moment what happens whenever something in our lives goes wrong. We are likely to (1) jump to an immediate determination or conclusion of what went wrong, (2) determine who is responsible, (3) figure out how to contain the problem and keep it from spreading/continuing to cause more damage, and (4) implement changes to minimize the potential for reoccurrence. After we have answered these questions, we then figure out how to get on with our lives and have some sense of peace until the next challenge is presented to us! We also start to ask ourselves: How did this happen in the first place and could it have been avoided? Monday morning quarterbacking is a self-perceived right that each of us will invoke on some situation at some point in our lives. Information security governance unfortunately follows a similar path within many organizations-the incident that “should never have happened” occurs, the organization quickly mobilizes to resolve the issue, finds the person to accept responsibility for the problem, attempts to limit the damage, and then, and only then, decides that maybe there is a fundamental problem with the way information security is being managed and exercised within the organization. is then leads to reviewing how information security is being governed and changes begin to occur. Recent history has numerous examples of where the information security officer was asked to leave
the organization following a major incident, however the reality is that many times the issue is a governance issue involving shared responsibility across the organization. In the case of the oil spill, while it is currently unclear as to who was at fault, early media reports are faulting cleanup efforts for not being swift enough to contain the oil spill. Not every business will experience an incident of this magnitude and if the incident is not very significant, business may occur as usual until a large incident negatively impacting the organization’s reputation or financially occurs.
