Responsibilities of management teams in implementing effective security practices

Responsibilities of management teams in implementing effective security practices

As you've seen in the last article, given the workload involved the CISO/ISM needs to be in regular contact with management teams. This is to ensure that their Security programme is successfully implemented throughout the enterprise. 

Given this reality, it's important to put together a group called the security working group (SWG) or security steering committee. This group needs to meet routinely to govern and promote good security practices throughout the organisation.

The working group should be chaired by the information security manager and should be attended by line-of-business heads from all parts of the enterprise. External stakeholders should also be included if they're required to support planning or governance. This group will be a high-level forum to discuss security matters. The group needs to meet regularly and it's important that membership includes all stakeholders.  

Earlier you saw the risk register, and the SWG group needs to manage that register. The SWG must participate in the approval of standards, policies, and initiatives. SMEs should also be involved so that they can provide advice if required. 

The security working group should become the voice and advocate for Information Security matters throughout the business. Attendees should have written terms and conditions and they should be encouraged to popularise information assurance (IA) principles in their own work areas to create the security culture that will make IA a company success. It's important that this group meets regularly and consistently in order to successfully develop the security culture within the business. 

Not always possible in house

Depending on the size of the company, it may not be viable to handle all issues internally. If this is the case, the company may employ an external specialist organisation to perform the necessary actions, for example penetration testing for regular system health checks. Developing an appropriate relationship with a trusted, accredited and certified company may help a company meet some security requirements without the cost of a permanent internal team of experts. 

Equally, as a company grows it will need to revise its SWG. This will ensure that there is appropriate representation of all relevant departments and that they continue to develop the security culture throughout the firm. 

Presently, you’ll be moving on to looking at company individuals outside the SWG and how you can best employ policy and procedures to embed best practice across the organisation. To achieve this, you’ll need to provide appropriate training, promote awareness and also use assessment. This is to identify awareness levels among the staff and to identify which aspects of the security culture need most attention. 


Decorative image: ‘Choosing members of your SWG’. Graphic with figures round a circular table with two wheat sheaves in the centre.

Choosing members of your SWG

Before finishing, think about your own current organisation, who would you have in your SWG?

What's next?

Having looked at SWGs, you're next going to look at the importance of effective delegation and its use at different levels of the organisation.


In this course, you will discover the structures policies and practices which provide a basis for developing the organisation’s information security.

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.