The US president Harry S. Truman famously had a sign on his desk that said:
The buck stops here.
This refers to the process of “passing up the buck”, meaning to escalate decisions to the next higher level in the organization.
Truman implied that he took responsibility but also that this is where power comes from.
This is an essential part of governance, and this vertical line of responsibility represents one way of looking at it. We can trace how this works in the following risk management example.
Suppose one risk control is to stop a certain data flow at some point. For example, not allowing USB storage keys in laptops, or reducing the permissions of some people, or reducing network access for guests.
This is a security intervention at the lowest, technical, layer.
But who has the responsibility to review whether that is actually done? That is a different layer of technology, or maybe of human oversight. If you do not have that, the control may not be very effective.
Next up, you might ask who created the policy that these data flows need to be restricted? Again, this is a next higher level of responsibility.
Continuing, who checks that this policy is set, who decides that this type of policy is set, and for which types of data?
As we progressively get higher and higher, these policies (controls) will be more and more abstract. They will be controls on controls.
Now, if you are in a role in the organization where you find no higher-level control, you are the highest level control.
The thing is, the person with the highest level control, should also have the mandate and the budget to enforce it. Ideally, this is the most senior management in the organization. And with today’s regulatory environment, they are.
I find this way of looking at governance more insightful than a top down approach. The risk of a top down approach is that a general control just gets translated into more controls with more text that are still not technical enough to be implemented or enforced.
You should be able to go up, down, and back to make sure that the technology controls match the objectives of the organization as a whole. This also helps to understand which controls are superfluous or redundant.