Physical and information security have been converging, often under the control of IT. But companies are increasingly moving the role of policing security out of IT and into the hands of an independent CSO. Here's why you should consider doing the same.
For 40 years there has been little reason for anything computer related to fall outside IT's command. But that era is coming to an end. The evolving and increasingly important role of information security requires the background of a geek and the instincts of a cop. Information security crashes together two functions: traditional corporate security and IT. The ex-cops over in corporate security who watch the doors and suspicious behaviour are using more and more technology to get their jobs done. And the stakes in an IT security breach have risen so high that IT people who know firewalls but can't fathom the motives of a disgruntled employee are no longer able to protect their companies from what could be serious financial losses, extended network downtime and badly damaged relationships with customers.
So struggle over who gets information security is growing: IT, the traditional security group or a new function that is distinct from both groups. There is already clear evidence that IT is going to lose the fight - and more important, that it should. In an October 2003 CIO magazine survey, respondents who described themselves as "very confident" in their companies' security were nearly twice as likely to have information security reporting outside of IT than those who described themselves as "not at all confident" in their security. The reasons for the confidence are clear: Confident companies suffered nearly six times fewer security events, had less downtime and fewer financial losses than the less confident companies. And they allotted more money toward security: The percentage of the IT budget that confident companies spent on security was double that of the not confident group (14 percent versus 7 percent), and they paid more attention to organizational reporting and security policy issues.
There are other reasons to move security. Some argue that keeping responsibility for policing security within IT can pose a potential conflict of interest for the CIO, who may be tempted to give short shrift to security concerns in favour of getting IT projects in on time and under budget. And catching hackers requires the ability to think like a criminal, something IT employees are not trained to do. Then there's the workload issue: Don't CIOs have enough on their plates these days without having to deal with the burgeoning and evolving challenge of worrying about all aspects of a company's security? Having security responsibilities reside in the hands of a CSO or equivalent - and in particular someone who reports outside of IT - could be better for the CIO's career and the health of the IT group as well as the overall organization. A CSO can focus full-time on security, unlike a CIO who is often pulled in several different directions.
But the issue is still up for debate. Some CIOs are concerned that if security policy is moved out of the IT department, they would lose influence but still be held accountable if something goes wrong. CIOs for small and midsize companies argue that it's not practical to create a separate role that is responsible for security. And CIOs in industries heavily regulated by the federal government also worry that letting go of security could mean falling out of compliance.
With the debate raging, if you're not seriously examining where information security falls on your org chart, it's time to do so. And there is mounting evidence that owing to its growing complexity and importance to besieged organizations, security probably should be separate from IT. The dialogue about the future of IT security is just beginning. Chances are, the discussions should be going on inside your company too. In this story, we'll outline the main issues to debate.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.