Many organisations have a clear view of which requirements apply and what needs to be developed within parts of information security. But the decisive factor is how the work is governed. If it is run as a new initiative, with separate resources, responsibilities and ways of working, it affects how well governance holds together in practice. That's the view of Christopher Läns, GRC expert at Stratsys.
Information security work often starts from a concrete need – for example, new regulations such as NIS2 and DORA, increased cyber threats or demands from customers, investors and partners. At this stage, the work tends to function well, because it is clearly defined. Responsibilities, methods and follow-up hang together within a specific area, which makes governance manageable.
The challenge arises when several areas need to be managed in parallel. This often happens in connection with new requirements or needs, according to Christopher Läns at Stratsys.
– When new requirements emerge, the work needs to be connected to the rest of the organisation's governance. That is where many struggle to keep responsibility, follow-up and ways of working aligned, because they develop in separate tracks, says Christopher.
Christopher Läns, GRC Lead, Stratsys
A reset instead of continued development
In practice, the work is often organised as a new initiative. Something that requires its own funding, new resources and, in many cases, its own ways of working. What should be a continuation is then handled alongside the existing work. The issue needs to be anchored at management level and weighed against other priorities.
At that point, the threshold rises. The work develops into a larger reset rather than building on what already works.
The consequence is often that the work loses momentum or develops in separate tracks. New needs are handled in their own structures, instead of being integrated into what already exists. Rarely is it a single factor that decides - the thresholds arise in several parts of the organisation. For example, it may involve:
- Unclear ownership when more functions become involved.
- Limited capacity to drive several parallel initiatives.
- Established ways of working that are difficult to change.
- Experiences of resource-intensive implementations.
When responsibility, capacity and ways of working pull in different directions, the next step becomes more extensive than necessary. The decisive factor is not what needs to be done, but how the work is organised and integrated into governance.
– Many organisations know what needs to be done within individual areas. The challenge arises when these requirements need to be handled collectively. When risk, control and follow-up need to be connected across several parts of the organisation, it often requires the work to be reorganised, says Christopher.
Building on the same logic
At this stage, the work often develops along several parallel tracks. New needs are handled in separate initiatives, with their own structures and processes, instead of being built into what already exists.
This causes governance to gradually fragment. More processes need to be coordinated, reporting happens through different flows and responsibility is distributed across multiple initiatives. The overall picture becomes harder to grasp, while the administrative burden increases. The result is often work where a lot is being done, but where risk, control and follow-up don't hang together.
Christopher's view is that the difference is not primarily about resources or ambition, but about how the next step is integrated into existing governance.
– In organisations that move forward, the next area is handled as part of the work that is already ongoing, rather than as a new initiative. New needs are connected to existing logic for risk, control and follow-up, says Christopher.
The consequence is that governance develops without fragmenting, and complexity is kept at a manageable level.
The next step within the same structure
Taking the next step within the same structure, rather than organising it as a new initiative, comes down to three things in practice:
- A common structure for risk, control and follow-up across several areas.
- Responsibility remains where the work is already being carried out.
- New requirements are integrated into existing ways of working, rather than being established as separate processes.
The effect is governance where the same logic is applied across several areas, where follow-up is based on comparable data, and where complexity does not increase unnecessarily.
Governance that holds together over time
In the end, it is rarely about understanding what needs to be done. For most organisations, the direction is clear within individual areas. The decisive factor is how the work is organised within governance.
When the work is established as a separate initiative, the scope quickly grows. New structures, responsibilities and ways of working need to be set up. When it is instead built into the work that is already being carried out, development can continue without the work being reorganised.
This is also where the value of integrated governance becomes tangible. The same logic can be applied across several areas, and follow-up is based on comparable data. Governance can then evolve without complexity growing at the same pace. The result is more sustainable governance over time.
