Information security has become fundamental for business survival. The 13th annual Ernst & Young Global Information Security Survey indicates that while enterprises increased their security budget, many of them lack the ability to face complex security threats. I am highlighting this survey because it reveals the fundamental issue of IT Security Governance. Increasing budgets to implement new technologies is not solving many of the problems enterprises face when it comes to security. It is also important to know when, who and how to deal with the complexity of IT Security.

Let’s discuss 3 myths about IT Security Governance:

1. IT Security Governance is about managing technology issues. Information security is often seen as a technology issue, when it should be perceived as a governance issue. The failure to address security problems in today’s environment is caused by organizational issues, not just technological limitations.
2. IT Security Governance is the responsibility of the CIO. Sarbanes-Oxley and recent SEC guidelines have obligated the CEO and board members to be involved in information security. IT Security should be managed as an enterprise issue, horizontally, vertically, and cross-functionally throughout the organization. The CIO alone cannot deal with company-wide security issues. The board of directors and executive management must also be actively engaged.
3. IT Security Governance has nothing to do with the enterprise governance. IT Security Governance, like Enterprise Governance requires the oversight of key positions on the board of directors. It is an integral part of enterprise governance and consists of the leadership to ensure that the IT sustains and extends the enterprise’s strategies and objectives.

IT Security Governance must assure IT security strategies are aligned with business objectives, laws and regulations. It is most effective when it is embedded into the culture of the organization and the behaviors of employees. In this regard, we should recognize that IT Security is not solely the responsibility of the CIO or CISO. IT Security is also about shared values, best practices, clear organizational culture, and behaviors that characterize each employee.

Companies should stop thinking of IT Security Governance as relegated solely to software implementation and IT departments. Today, boards of directors, senior executives, and managers all must work together to drive toward an effective enterprise security.