Ali Alper YaylaAbstract: The challenges of information security governance

Over the past two decades, IT has brought businesses and consumers closer and enabled organizations to become players in the global economy.However, while IT presents promising opportunities for organizations, it also brings significant risks. As their reliance on IT increased, organizations started to face significant operational and strategic risk. This riskis highlighted as the number of computer related attacks and their severity have increased dramatically in the same period. Todayorganizations face several challenges at the information security governance level. These challenges start with the lack of IT knowledge at the board of directors level. While directors acknowledge the importance of IT and related risk, the technical nature of IT usually prevents boardsfrom providing the necessary oversight. Moreover, unless it entails big investments, IT is rarely a discussion topic at the board level, which can be as a results of the lack of IT executive involvement at the top management team. Although more IT executives are participating at the top managementnow compared to previous years, pay disparity between CIOs and other C level executives, and the indirect reporting structure of CIOs show that IT executives are not truly part of the top management team. The implications of this is reflected not only economically as IT executives have hard time justifying IT security investments but also behaviorally as IT security policies fail to be integrated and enforced in organizations. The challenges at the policy level are exacerbated in global organizations with the difficulties arising from cultural differences across parent companies and their subsidiaries. One possible solution to tackle the variety of IT security challengesfrom director level to user level can be conceptualizing IT security as part of corporate social responsibility.


Ali Alper Yayla is an associate professor in the School of Management at Binghamton University-SUNY. He earned his Ph.D. degree in Management Information Systems from Florida Atlantic University. His research interests include IT governance and leadership, strategic alignment, and information security. His work has been published in several academic journals including Decision Sciences Journal, European Journal of Information Systems, Journal of Information Technology, International Journal of Electronic Commerce, and Journal of Managerial Issues.