SIDEBAR: Inside or Out

Where should responsibility for security reside?

In its 2002 Information Security Survey, KPMG found that in 53 per cent of organisations responsibility for information security still resides with the IT department. However, Egidio Zarrella, national partner-in-charge, information risk management, KPMG Australia, says he is now seeing more"C" class executives or chief security officers (CSOs) in charge of security, particularly in the US and Europe and particularly in financial institutions."If you just think security is IT and having a password, you're already behind the ball game because you're not taking a holistic view of it," Zarrella says.

As CSO for Oracle Corporation, Mary Ann Davidson has global responsibility for the software giant's product security, corporate infrastructure security and security policies, security evaluations, assessments and incident handling; in other words, the organisation's own IT security in addition to building and delivering security across the software it sells.

Davidson has held the position since it was created late last year but thinks her situation is unusual in that she comes from - and continues to sit - in product development and reports up to an executive vice-president responsible for server technologies. However, this makes perfect sense for Oracle, she claims, given that its corporate culture is driven from development, the company runs its business on its own software, and consequently its internal IT department cannot secure what Oracle does not build into its products in the first place. In fact, it was Davidson who lobbied Oracle's senior management to create the CSO position.

"They agreed it was a great idea, and although I didn't dream they would consider me for the position, they offered me the job and even gave me the chance to write the position description," she says."Management believed that I would stand up and scream loudly if things were not right and viewed that as an important attribute. I've also been a military officer, so I believe I understand something about leadership and motivation, and I have a magic authority whereby if there are issues with someone regarding security that I can't resolve at my level, I get to go right to [Oracle chairman and chief executive] Larry Ellison.

Not surprisingly, Davidson has a lot of interaction with Oracle's internal IT department. Oracle also has a security steering committee, comprising a number of constituents including finance, legal and human resources. As Davidson points out, so much of security goes hand-in-hand with privacy, which affects large parts of the company. There are, for example, European privacy directives that impact not only how Oracle builds its products, but also how it stores information about its customers and employees.

Davidson believes the CSO role is now very common in large companies, particularly major IT vendors. However, at rival ERP firm PeopleSoft, product security is the responsibility of the chief technology officer, while senior vice-president and (global) CIO David Thompson looks after the internal security of the company's network, telecommunications and applications, as well as setting policy. Of the 380 people who work internally in IT at PeopleSoft, the security division within that comprises 27 staff and Thompson says security now accounts for 10-15 per cent of his time.

Given that PeopleSoft is an IT company where staff tend to have the necessary skills, Thompson is not worried about external threats as much as internal attacks and mistakes and has been focusing on educating employees in this area. In addition, although he does not handle physical security himself, he says he is working to leverage technology to help protect the company's assets and monitor sensitive areas.