Learning Goal: I’m working on a risk management exercise and need support to help me learn.
Enforcement of security policies is most effective when it comes from leadership. Employees look to executive management for direction. The executive is more likely to enforce policies to support his or her personal credibility. Once executives put their own credibility behind policies, they are less likely to allow violations to occur.
Finding the right level of leadership to take action can be a challenge. It’s generally more effective to have leadership governance and management committees responsible for IT security policy enforcement, where governance sets the direction for management to follow.
Why, or in what ways, would a governance committee be more effective than an executive in enforcing security policies?