Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

Information Security Governance: Centralized vs. Distributed

Audry Agle, VP at The First American Corporation, on creating a model that works for your business

By Audry Agle

September 03, 2008CSO — The management of information risk has become a significant topic for all organizations, small and large alike. But for the large, multi-divisional organization, it poses the additional challenge of determining how to deploy an information security governance program among what are often disparate business units. Should the policies, procedures, and processes that define the program be developed and managed within a central, corporate body? Or perhaps responsibility would be better placed at the individual unit level? Is there a workable middle-ground?

If alignment across business units is important, a centralized model would seem the proper choice. By directing and managing the program within a central governance body, all business units would be forced to abide by the same unified vision and policy set. This structure gives executive leadership and board better oversight as there's only one place to go to assess the posture of the organization. Centralized governance is generally most efficient as resources can be leveraged in a cost effective manner across the organization, thereby limiting duplication of effort and better utilizing talent and tools. This model also offers some sustainability in that shareholders can be assured that the profitability of an individual unit isn't likely to compromise the quality of the program. Finally, should an incident occur, it can be handled in a uniform manner with full corporate oversight.

Also see Information Security Management Basics by Micki Krause, et al


However, there are issues with the centralized approach that can better be addressed with a distributed model, in which each business unit is responsible for its own InfoSec program. As they will develop their own policies and standards, they are far more likely to embrace the program, assign the necessary resources to it, and fully implement. Rather than having a generic set of policies that can apply across the organization, this model has the advantage of producing policies that are aligned with each units specific business model. Further, the business unit can act autonomously, and thus theoretically more efficiently when policy changes or incident investigations are necessary.

We are all familiar with the accountability issues that arose during the Enron situation. As a result, today's shareholders demand that corporate leadership be well-versed on the conduct of the organizations they lead. Immediately following a significant information security incident, these leaders will likely be called upon for details. In order to address this issue, while leveraging the benefits of business unit autonomy, many organizations are adopting a hybrid approach. The best of both models is achieved by providing for a central governance body focused on program results, while the business unit has control over the methods. These groups work together to achieve the overall program objectives. Following describes how the establishment of a hybrid program and sharing of responsibilities might be realized.

RESOURCE CENTER