Enhancing Corporate Governance Rankings through IT Security

Posted by Marbenz Antonio on August 9, 2022

MM Governance and Management - Wits University

What is a rank for corporate governance?

The importance of corporate governance rankings to boards of directors, executive management, and the investment community is growing. Talking about the issues that matter to a stakeholder is necessary if we want their support. For sellers, sales revenue is important. The chief information security officer pays attention to the possibility of a data leak (CISO). Executive pay and analyst stock ratings are usually impacted by governance scores. The board values their input.

They will pay attention if the IT security team talks to them about raising the corporate governance score. As they prioritize the many risks and possibilities they must manage, boards must balance a lot of demands on their time and attention. It helps them prioritize IT security when they can move the needle on a metric they already care about.

Boards, management, and investment analysts all focus on corporate governance benchmarks, such as the Institutional Shareholder Services (ISS) ESG Governance QualityScore. Framing our IT security investments and actions in terms of a higher QualityScore is an excellent strategy to advocate with these stakeholders.

The importance of IT security in corporate governance has been acknowledged by industry leaders, who have incorporated it into their scoring methodology. Principles of Corporate Governance include cybersecurity as a focal area for the board’s strategic planning and risk oversight responsibilities. The Harvard Law School Forum on Corporate Governance also identifies cybersecurity as an evolving governance concern. The Corporate Finance Institute names security as one of the fundamentals of corporate governance, particularly regarding data breaches.

We’ll outline the reliable methods by which IT security governance can affect a business’ ISS Governance QualityScore, potentially influencing analyst recognition, shareholder value, and executive compensation. The board may use this information to better understand relative priorities and investment needs for IT security.

The scoring example we’ll use is for a corporation with headquarters in the United States that is a member of the Standard and Poor’s (S&P) 500 index, even though the discussion applies to all locations and segments.

How to calculate corporate governance rankings?

Institutional investors can monitor portfolio business governance with the use of the data-driven ranking and screening tool known as the ISS ESG Governance QualityScore. Approximately 7,000 businesses, including those included in the S&P 500, STOXX 600, Russell 3000, Nikkei 400, and other international indexes, are subject to the ISS Governance QualityScore global coverage.

For some events, the QualityScore is updated quarterly by reviewing the minutes from the companies’ annual meetings, regulatory filings, and other material that is accessible to the general public.

The ISS website makes the methods accessible.

It’s important to comprehend the factors (questions) and the scoring methodology to raise the organization’s QualityScore and map the effects of investments and activities in IT security.

The subjects evaluated include:

  • Board structure.
  • Compensation.
  • Shareholder rights.
  • Audit and risk oversight.

The elements linked to IT security are found in the audit and risk oversight section. We’ll concentrate on identifying and bringing up these factors throughout our conversation.

To encourage a “apples to apples” comparison, a raw score based on the factors is produced and ranked about businesses in the same index or region, with a number from 1 to 10 assigned to each category. Figure 1 displays an illustration of a raw score and category score for each category for an S&P 500 business with US headquarters.

Category Category Raw Score Category Score
Board Structure 25.0 7
Compensation 19.5 10
Shareholder Rights 28.0 5
Audit & Risk Oversight 56.5 4
Overall Raw Score Governance QualityScore
Total 129.0 8

Table 1. Score methodology example for S&P 500 United States-based company.

Rating Category Questions Scored
Board Structure 51
Audit and Risk Oversight 21
Shareholder Rights 32
Compensation 37
Total 141

Table 2. Questions scored in each category for a United States-based company.

There are 141 factors scored for the United States. There are twenty-one for the category of Audit and Risk Oversight. 11 of these concern information security. Thus, IT security accounts for more than half of this category’s raw score, which will be scaled to produce the Audit and Risk Oversight category’s QualityScore on a scale of 1 to 10.

IT security-related questions are defined differently than they would be for an IT security and compliance expert who worked with ISO, NIST, or other comparable security standards. Next, we’ll examine this.

Through the perspective of corporate governance, the board and management discuss IT security

The factors in deciding the governance score are distinct from those we could see in an IT audit. They don’t cover the extensive controls and defense in depth that IT security experts would expect. Some of them, including those about awareness and training, finances, and breaches, are probably already included in key performance indicators (KPIs) that are being analyzed.

The QualityScore characteristics can be linked to a strategic plan or business case for an investment when it is presented to leadership. It is possible to predict that the governance score will rise.

Below is an illustration of how to use Microsoft Purview Audit (Premium). This technology, which is a component of Microsoft 365, is simple to implement and doesn’t require any user involvement or change management. If credentials are compromised, it offers forensic information to determine whether sensitive data was compromised, and what documents may have been viewed by the bad actor, and it offers long-term audit data preservation.

QuestionID Question Mapping for Microsoft Purview Audit (Premium)
402 Does the business describe a strategy for identifying and minimizing information security risks? If an account is compromised, Audit (Premium) enables a business to determine the information accessed by a malicious attacker. It offers forensic data necessary to comprehend the effects of a breach and choose the best course of action. Risk mitigation includes doing this.
406 How much of the company’s overall revenue was lost due to information security breaches in the last three years? A breach that has no impact and one that has a significant impact on the organization, its partners, and its customers can be distinguished using information made accessible by an audit (Premium). Without this knowledge, the business might be forced to spend a lot of money on breach notification and mitigation measures that wouldn’t be required if the breach could be appropriately scoped.
407 Has there been a breach in the company’s information security in the recent three years? Account compromises with no consequences and possibly not reportable can be distinguished from attacks needing extensive reporting and cleanup by Audit (Premium). An audit is focused on reporting information security compromises accurately, including understanding what qualifies and does not constitute a breach (Premium).
408 What is the ratio of total revenue to net expenses resulting from information security breach penalties and settlements over the last three years? Depending on the degree and impact of the information security breach, there will be a wide range of costs and penalties. The forensic data that Audit (Premium) makes available can help to lower costs and fines.
409 Has the business get an insurance policy to cover information security risks? To provide security risk insurance policies, insurers need to conduct underwriting. The company’s IT security program, controls, and governance all impact underwriting. The Audit (Premium) component of the security package is important since it offers very useful forensic data.

Table 3. Example Mapping of Microsoft Purview Audit (Premium) to ISS Governance QualityScore.

Supporting security investments and solutions is only one aspect of alignment with the Governance QualityScore.

The rating includes elements that the business may already have in place, such as security training, standards-based audit, measurements, and reporting. The company’s return on investment and the leadership’s understanding of the contributions of the security team is increased by communicating this so that it is reflected in the governance score.

Senior leadership should routinely brief the board on information security issues to improve the score.

The score will also increase if a board member with security expertise is added. These will ensure that the security function receives the focus and support from leadership that it needs to improve the security posture of the business.


A corporation can demonstrate additional return on investment and gain support for its security program from a range of stakeholders by demonstrating how its investment in security improves its Governance QualityScore. The financial and brand value of a higher governance score may be recognized by stakeholders who may not necessarily understand the value of IT security controls and processes or the risk associated with IT security.

Expectations for IT security to be a component of corporate governance will rise over time. The breach will likely be examined from a wider, more comprehensive angle. The weight of IT security on the final score will rise as more factors are taken into account.

When presenting to leadership to create a strong case for action, think about demonstrating how an IT security investment or activity would improve your company’s governance score together with other components of the business case and risk management.


Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com