In today’s dynamic business landscape, security isn’t just about technology, it’s about alignment. We had the privilege of gaining insights from Adam Gresh, who emphasizes that a strong information security program thrives when embedded into an organization’s culture and leadership strategy. From governance charters to risk committees, Adam breaks down how businesses can build security into their DNA while maintaining agility and business efficiency.
Q: Aligning security with business objectives is often seen as critical for success. Why do you believe this alignment is so important?
A: I can’t say it better than William Malik, Vice President and Research Area Director for Information Security at Gartner, who said, “A business will have good security if its corporate culture is correct. That depends on one thing: tone at the top. There will be no grassroots effort to overwhelm corporate neglect.”
Q: What kind of suggestions can you make that will help build good corporate culture?
A: Good governance is essential. You need to have an information security governance charter that clearly defines the requirements for the security program in writing and as an enforceable policy signed by the CEO. This gives the security program the authority it needs to be taken seriously.
The charter should include language that makes security roles part of job descriptions for everyone in the security governance structure. To build a strong culture, roles such as “business owner” and “data owner” must fulfill obligations outlined in security frameworks like NIST and COBIT. Business leaders are responsible for aligning systems with organizational objectives and providing input on risk management strategies. Without these responsibilities written into job descriptions, it’s unreasonable to expect leaders to treat information security as anything other than someone else’s problem—because for them, it’s literally “not in my job description.”
A complementary element is the establishment of an information security committee. Its role is to provide a platform for information security to present its needs to other departments and for other departments to voice their concerns. The committee also plays a critical role in driving strategic alignment and oversight rather than focusing solely on operational collaboration.
The security committee should include representatives from business leadership, IT, human resources, compliance, finance, sales, and other key departments. These stakeholders bring unique perspectives necessary for comprehensive risk evaluation and prioritization. If departments are unaware of their security needs, this presents an opportunity to facilitate discussions and uncover potential risks.
Another function of the committee is to set risk appetite. Having a shared understanding of how much risk is acceptable without additional review eliminates subjective decision-making. In alignment with ISO 31000 and COSO ERM (such as SOC 2 compliance), the security committee should formally establish a risk appetite statement that is periodically reviewed.
The committee is also accountable for deciding whether to accept risks that exceed the organization’s risk appetite. These decisions should be informed by the business rather than dictated by security—security should enable the business, not the other way around. Allowing the committee to make these decisions ensures a broader understanding of business impact. The security committee should also revisit risk acceptance decisions periodically, in line with NIST’s continuous monitoring principles (see NIST 800-137).
Another crucial aspect of the committee’s role is reporting and escalation. If a risk exception is not accepted, the committee should escalate the issue to senior leadership to ensure a timely decision on risk acceptance or corrective action.
Q: Risk assessments are a critical part of the security program, but businesses sometimes fail to recognize their non-technical aspects. What recommendations do you have for getting risk assessments done in a resource-constrained environment?
A: Start by leveraging industry best practices. Both ISACA and (ISC)² recommend that security leaders that are new to an organization conduct a risk assessment. It may also be necessary to revist a previous risk assessment if you’re not new to the organization and haven’t been able to keep up. This presents an opportunity to collaborate with business areas, helping them identify and understand risks they may have previously overlooked and capture risks formally. By identifying which risks resonate with business leaders, security teams can work to ensure those risks are appropriately addressed.
When dealing with technical stakeholders, NIST’s sample risk assessment is helpful for teaching technical staff how to evaluate risk, but it is not as effective for business leaders. In my experience, sample risks are great for outlining penetration test steps but contain a lot of redundancy regarding controls and system protection. Don’t hesitate to customize or consolidate elements to fit business needs.
Technical teams are generally more willing to engage in risk discussions, but a different approach is needed for business teams. For example, instead of focusing on technical issues such as “poor patch management,” business risks should be framed as, “There is a high risk of unauthorized access to PII due to a failing technical control.” Similarly, if IT and HR aren’t communicating effectively on user access reviews, the business risk might be framed as, “Risk of unauthorized access by former employees due to a failing administrative control.” Security committee meetings provide the ideal forum for discussing these issues in a non-technical way.
Q: Aren’t security committee meetings going to be expensive?
A: Meetings with senior leaders are always expensive. The expense must be justified by the meeting’s outcomes. Executive retreats remove leaders from daily distractions to focus on business strategies, and security committee meetings should serve a similar function—allowing business leaders to focus on how security enables business success.
These meetings shouldn’t be an opportunity for security to present a list of grievances but should instead focus on what the business needs from security. Security leaders should work to avoid dominating the conversation and instead draw out the needs of business teams.
Q: What if stakeholders aren’t coming forward with needs or don’t understand their obligations?
If stakeholders arrive unprepared, it’s time to revisit the security governance charter and determine how to help them fulfill their responsibilities. In organizations with an immature security culture, the charter and job descriptions are critical. If security responsibilities are clearly outlined but not understood, and there are no consequences for failing to execute them, it creates an incentive for individuals to seek guidance from the security department.
To foster a culture of security, leaders should be encouraged to engage with security initiatives through ongoing training and recognition programs. Establishing a RACI matrix (Responsible, Accountable, Consulted, and Informed) can help constituents understand their roles within the security program.
Security responsibilities cannot be left to the goodwill of employees who already have “too much on their plate.” These scenarios often lead to security being overlooked. To ensure accountability, security responsibilities must be explicitly defined in job descriptions, with clear expectations and consequences for failing to meet them.
It’s important to be realistic about budget limitations. Just because security is a job function doesn’t mean it takes precedence over all other responsibilities. This is where the security committee plays a key role in balancing priorities and making progress within constraints. The committee should also recognize when a security deficit is too large to address with existing resources and make the case for addressing the shortfall.
Final Thoughts
If you’re facing challenges in advancing your security agenda, consider whether you’re aligned with business goals. Demonstrating the value security brings to the organization—whether through compliance certifications like SOC 2 and PCI-DSS or through improving customer trust—can help gain executive buy-in.
If you’ve exhausted all avenues and still face resistance, consider escalating concerns appropriately, or if necessary, re-evaluate whether the organization’s culture aligns with your security leadership goals.
Adam Gresh is the CEO of Purple Dragon Cybersecurity LLC and has been instrumental in delivering risk assessments, gap assessments, policies, governance recommendations, KPIs and other information security services.
Contact information: nistfantic@purpledragoncyber.com
Copyright Statement
© 2025 Adam Gresh. All rights reserved.
ISSA is granted permission to publish and distribute this article with proper attribution. All other rights, including reproduction, adaptation, and redistribution beyond ISSA’s use, remain with the author and require prior written permission.
Lasting Lessons on Security Governance from Adam Gresh
Security isn’t a siloed function, it’s a business enabler. As Adam emphasizes, when security aligns with corporate objectives, it moves beyond compliance to drive real strategic value. Whether it’s securing customer trust or enhancing operational resilience, a well-structured security governance model can make all the difference.
