Information Security Posture to Organize and Communicate the Information Security Governance Program




Information Security Posture, Information Security Governance, Information Security Management, Information Security Reporting, Risk Management, Information Security Program


Information security practice has evolved greatly from being mostly a technical concern to also becoming a concern of executive management. As a result, there are many different frameworks, guidelines and certification programs for information security governance (ISG) and management. The purpose of these standards and certification programs is to help an organization develop a structured approach for governing and managing information security. However, these standards and guidelines are generic and not tailored for any specific organization. These frameworks usually specify “what” should be implemented but not “how”.  Additionally, these frameworks do not specify “how” to communicate the information security posture (ISP) to the executive management in a simplistic manner. This paper first defines and conceptualizes the term information security posture, and then proposes a framework on “how” to communicate and organize the ISP. Our contribution complements ISG programs adopted by organizations to give executive management a better understanding and oversight. We argue that describing the ISP of an organization will support well-informed decision-making while ensuring alignment with business objectives.