Who Should Be On Your Information Risk Council

The Information Risk Council (IRC), also known as the Risk Governance Council or Security Steering Committee, is a key component of an effective security program especially if aligned with ISO 27001 or SOC 2.

This committee helps establish the vision for the organization’s security program, drives the strategy, and sets the tone for security, privacy, and compliance initiatives.

There’s a lot at stake, so making sure the IRC is comprised of the right people is paramount.

So, who should be on my IRC?

We get this question a lot, so here are some individuals and teams we suggest you include, and considerations for why you may or may not want to include them.

These are in no particular order, and titles will vary somewhat depending on the size of your organization. The essential goal here is to establish an impactful and cross-functional team with the authority and insight to align your security program to your business strategy.

Members to Consider:

Chief Technology Officer: Often also the security program sponsor, the CTO serves as a bridge between the security program and the business objectives established by executive leadership. (Note: If you are not a SaaS/tech firm, you may want to include the VP of Services or Chief Operating Officer instead.)
VP of Engineering: The person responsible for managing your SaaS platform fills a critical role by ensuring that change management processes and infrastructure efforts are aligned with the security objectives.
CISO/VP of Security: Independent of their title/role, the person responsible for the effective operation of security initiatives should always be included in your IRC.
General Counsel: Legal professionals often have the best understanding of the risks the organization faces and security commitments which the organization has made.
Director of Compliance: This position is especially important if you have a team dedicated to financial compliance initiatives such as SOC 1 or SOX, as there will be overlapping areas of risk management.
HR/Chief People Officer: People are key to any organizational initiative, so having your HR team on board will help provide valuable feedback on security implementation in your company.
Director of IT: This person is usually responsible for the operations of various security controls and making sure security objectives are technically feasible.
Sales: Your sales team is often closest to the customer and the market expectations for security and specific expectations clients have in this realm.

A good IRC size is between five and seven members and pulls in additional resources and business unit leaders as needed for consultation.

If you want to understand how to effectively leverage your IRC in your security organization, check out this blog post (part of a 4 part series on building a security program).

About the Author: Phillip Lee

Phillip is a Consultant and Cyber Risk Advisory Specialist for risk3sixty where he helps to implement business-first offensive and defensive security strategies. Phillip holds a B.S. in Business Administration (Strategy and Innovation) from the Georgia Institute of Technology. Phillip is a CISA and holds the Certificate in Cloud Security Knowledge (CCSK).

Who Should Be On Your Information Risk Council

So, who should be on my IRC?

Members to Consider:

Share This Story, Choose Your Platform!

About the Author: Phillip Lee

Related Posts

Update on the Apache Log4j Vulnerability

VCISO: How We Help “Fix It” the risk3sixty Way

Mobile Device Management Deep Dive

The Business Case for an Incident Response Program

Leave A Comment Cancel reply