Security governance influences the quality of strategic decision-making towards ensuring that investments in security are not wasted. Security governance involves a range of activities including adjusting organisational structures, designating roles and responsibilities, allocating resources, managing risks, measuring results, and gauging the adequacy of security audits and reviews. We draw on a case study to identify three security issues in an organisation around strategic context. These are (1) limited diversity in decision-making; (2) lack of guidance in corporate-level mission statements to security decision-makers; (3) a bottom-up approach to security strategic context development. We further argue that instead of an approach that is based on risk and controls, organisations should address objectives and strategies through developing depth in their security strategic context.
Tan, Terrence; Maynard, Sean; Ahmad, Atif; and Ruighaver, Tobias, "Information Security Governance: A Case Study of the Strategic Context of Information Security" (2017). PACIS 2017 Proceedings. 43.