01:47 PM
Core System Testing: How to Achieve Success
Oct 06, 2016
Property and Casualty Insurers have been investing in modernizing their core systems to provide fl ...Read More>>

SmartAdvice: Map Out An Organizational Structure For Security

Treat security as a business process, The Advisory Council says. Also, abandoning IE won't end security worries, and learn how to protect information in tiny USB storage devices.

Editor's Note: Welcome to SmartAdvice, a weekly column by The Advisory Council (TAC), an advisory service firm. The feature answers three questions of core interest to you, ranging from career advice to enterprise strategies to how to deal with vendors. Submit questions directly to

Question A: What organizational structure would be most effective for information-security governance?

Our advice: Information-security experts are a long way from establishing best practices in organizing security: Chief security officers variously advocate security reporting to facilities, operations, legal, IT, and even human resources.

Ultimately (and legally) the board of directors is responsible for protecting the company's assets, but someone has to keep the board informed about the risks the company is facing from security threats. This should be the job of a chief security officer. Unfortunately, they are rare and almost always too low on the organizational chart to effectively interact with the board, and reporting structures often blunt and filter (even suppress) those messages before they reach the board.

Related Links

Consider Information Security To Be An Integral Part Of Your Business

Business Leaders And IT Security--Will The Two Ever Have A Meeting Of The Minds?

The New CISO

So right away the organizational-structure issue comes down to which C-level executive your top security person reports to. There seems to be no dominant rule for companies placing the head of security (physical and/or information) above the chief information officer, reporting to the CIO, or several levels below the CIO. Corporate culture appears to be the biggest factor, but also industry type. Consider the following structures and their consequences:

Information security reports to the CIO. CIOs want to be seen as value-adders, focused on productivity and profits, and cannot afford to be branded as "inhibitors." This mind-set can cause CIOs to delay reporting potential security problems upward.

Information security reports to the chief operating officer. Chief operating officers are concerned about delivering products and services, resolving customer issues, and increasing sales. Instead of protecting the company's larger goals, the focus is too often on finding solutions for customer complaints, continuously monitoring satisfaction, and fighting for market share.

Information security reports to the CFO. CFOs all too frequently act as if the best way to grow profits is to cut costs. When they oversee a security organization, they evaluate security budgetary issues by scrutinizing every capital expenditure or head-count increase.

Industry and organizational size have an influence. Retail and pharmaceutical industries are most content with security chiefs under the direction of the CIO, while some other industries are migrating to a corporate (i.e., outside of IT) security-management structure. In midsize to large organizations where the emphasis is on technical measures mitigating technical threats, the CIO is usually the security boss.

An effective security organization hinges on collaboration among the CFO, auditors, legal staff, business-unit managers, corporate and physical security teams, IT senior managers, midlevel administrators, and the entire range of corporate stakeholders, whose awareness of and participation in a security program is essential. For information security, this means a structure where the security head's reporting relationship is an enabler, not a deterrent, to integrating the activities of primarily the IT, operations, and corporate auditing groups. It's the opposite of the fragmented security management norm at many companies today. Until top management recognizes security as a critical function with strategic impact, security of all sorts will continue to get shuffled around and fail to obtain adequate resources.

Security is rapidly evolving into a critical shared service within many organizations, with the head of corporate security increasingly taking on responsibilities for information security. Within five years most organizations will have a risk-management function that (1) is not within IT and (2) will include a number of things currently on CIOs' plates, such as business continuity, and a security program-management office, as well as non-IT risk functions such as fraud and physical security. The path to this governance structure is being blazed by companies that are taking a coordinated approach to physical security, information security, and risk management because they believe bottom-line improvements come most easily when security is treated as a business process.

-- David Foote

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.