Once, system thinking was about singular systems. Today we exist in a far more complex world, with systems interacting with systems, directly or indirectly. Information security, therefore, must involve all systems in the chain. New legal European regulations such as Guidelines for Data Protection Regulation demand that the ICT/IT world must include systems outside the organizational border to be involved and accounted for under enterprise information security umbrella. Recent mega hacks analyzed in this article point to the fact that a systems thinking perspective is needed to create modern governance, risk, and compliance security model framework. This research work puts forth a conceptual model based on Viable System Model appropriate for a major global information security restructuring. A motive for VSM is grounded in that it works fine with securing modern laws like GDPR and CCPA in supporting a needed enterprise perspective.