Executive Context
As cyber and data risks increasingly impact financial stability, regulatory exposure, and organizational trust, leadership teams face growing pressure to demonstrate effective oversight of information security.
Key challenges included:
- Unclear ownership of information security risk at the executive level
- Fragmented responsibilities across IT, risk, and business units
- Difficulty translating regulatory expectations into governance and management practices
Executives required a governance approach that aligned information security with enterprise risk management and strategic oversight.
Leadership Role & Contribution
Dr. Duy acted as a governance advisor and subject-matter expert, contributing to the project by:
- Assessing the institution’s information security governance maturity
- Identifying gaps between regulatory expectations and existing governance structures
- Supporting the design of a governance model that clarifies roles, responsibilities, and escalation mechanisms
His contribution emphasized executive accountability, decision rights, and risk visibility, rather than operational or technical controls.
Key Deliverables
- An Information Security Governance Framework aligned with enterprise risk management
- Clear definition of executive and management-level responsibilities
- Governance guidance to support regulatory compliance and audit readiness
- Practical structures for integrating information security into leadership oversight
Business Outcomes
- Improved clarity of information security ownership at the leadership level
- Stronger alignment between security governance and enterprise risk objectives
- Enhanced readiness for regulatory review and internal audit
- A more consistent and structured approach to managing information security risk
This project demonstrates how information security can be governed as a strategic enterprise risk, not delegated solely to technical teams. Dr. Duy’s work supports executives in making informed, accountable decisions that balance regulatory compliance, operational resilience, and organizational trust.
