Information Security Governance and Boards of Directors: Are They Compatible?
This paper presents a critique of emergent views on the roles of the boards of directors in relation to information security. The analysis highlights several concerns about the separation and validation of proper theory and business assertions of information security at board level. New requirements articulated by industry bodies - represented by a selected group of experts and evident in literature - are compared to the underlying theory of corporate governance to identify possible discrepancies. The discussion shows in particular the importance of staying within the theoretical underpinnings of corporate governance when discussing the topic of governance in general and in relation to boards of directors' responsibilities.