The lack of effective information security governance in the digital age is a growing problem. Generally, corporate governance can be defined by the strategy, policies and processes for controlling a business.
Board of Directors set the strategy, the budget, the tolerance of risk an organization, in addition to ensuring the company’s prosperity. From 2013 to 2014, information security breaches increased by 64%. In 2016 alone, 1.1 billion identities were stolen. Experts predict by 2020; cybercrime damages will cost the world $6 trillion. With increased pressure from the public, those serving in governing roles are now under more heightened scrutiny than ever before. Despite numerous peer-reviewed research findings that have demonstrated how essential high-level support is to information security, many governing bodies still do not to have the necessary knowledge to effectively govern. As the world becomes increasingly technologically dependent, figuring out the gap between data theory and practice in the boardroom will be critical.
Board of Directors still does not understand the relationship between strategic alignment, leadership and information security governance effectiveness in United States-based corporations. While leadership is a well-examined topic in organization literature, its application in information technology governance, has not been studied extensively. Information may be one of the most critical resources in a business, but unless the fundamental components influencing effective security governance are better understood, companies may be missing the advantages and multiplying the risks of their information assets. Having a robust information security governance framework is essential for companies with any data management type system in place. With the shift towards protecting information as a valuable asset, there is increased interest in how to implement and oversee effective information governance.
There many case studies on how data breaches have reached the Board of Directors with shareholder claims against Directors on the rise. For example, the Target data breach in 2013 affected 70 million customers. Shareholders alleged that Target’s Board of Directors breached their fiduciary duties by not adequately overseeing the information security program, and not providing customers with prompt and accurate information on the breach. After investigation for 21 months, the plaintiffs dismissed the case. However, the entire process raised the eyebrows of the public as it relates to the responsibility of the Board of Directors as it relates to an organizations data privacy. The data breach was estimated to cost Target $148 million. The Target data breach is seen as the beginning of increased scrutiny of cybersecurity practice. As consequences get more serious, the boardroom will be forced to determine the gap between data theory and practice better.
In the future, more policy and well-defined roles and responsibilities may contribute to changes in actual practice on how Board members are selected to maximize governance effectiveness. Having the right people governing in the boardroom can influence critical budgetary discussions and not only support timely risk identification by also alignment with the value that an effective security governance system can delivery. Boardroom’s would benefit from the realization of their goals that should include having safer and more reliable data, respecting evolving data privacy trends, being able to better access data, enhance ability to share and collaborate on data and reduced costs by having more effective risk management.