Editor's Note: Welcome to SmartAdvice, a weekly column by The Advisory Council (TAC), an advisory service firm. The feature answers three questions of core interest to you, ranging from career advice to enterprise strategies to how to deal with vendors. Submit questions directly to firstname.lastname@example.org
Question A: What organizational structure would be most effective for information-security governance?
Our advice: Information-security experts are a long way from establishing best practices in organizing security: Chief security officers variously advocate security reporting to facilities, operations, legal, IT, and even human resources.
Ultimately (and legally) the board of directors is responsible for protecting the company's assets, but someone has to keep the board informed about the risks the company is facing from security threats. This should be the job of a chief security officer. Unfortunately, they are rare and almost always too low on the organizational chart to effectively interact with the board, and reporting structures often blunt and filter (even suppress) those messages before they reach the board.
Information security reports to the CIO. CIOs want to be seen as value-adders, focused on productivity and profits, and cannot afford to be branded as "inhibitors." This mind-set can cause CIOs to delay reporting potential security problems upward.
Information security reports to the chief operating officer. Chief operating officers are concerned about delivering products and services, resolving customer issues, and increasing sales. Instead of protecting the company's larger goals, the focus is too often on finding solutions for customer complaints, continuously monitoring satisfaction, and fighting for market share.
Information security reports to the CFO. CFOs all too frequently act as if the best way to grow profits is to cut costs. When they oversee a security organization, they evaluate security budgetary issues by scrutinizing every capital expenditure or head-count increase.
Industry and organizational size have an influence. Retail and pharmaceutical industries are most content with security chiefs under the direction of the CIO, while some other industries are migrating to a corporate (i.e., outside of IT) security-management structure. In midsize to large organizations where the emphasis is on technical measures mitigating technical threats, the CIO is usually the security boss.
An effective security organization hinges on collaboration among the CFO, auditors, legal staff, business-unit managers, corporate and physical security teams, IT senior managers, midlevel administrators, and the entire range of corporate stakeholders, whose awareness of and participation in a security program is essential. For information security, this means a structure where the security head's reporting relationship is an enabler, not a deterrent, to integrating the activities of primarily the IT, operations, and corporate auditing groups. It's the opposite of the fragmented security management norm at many companies today. Until top management recognizes security as a critical function with strategic impact, security of all sorts will continue to get shuffled around and fail to obtain adequate resources.
Security is rapidly evolving into a critical shared service within many organizations, with the head of corporate security increasingly taking on responsibilities for information security. Within five years most organizations will have a risk-management function that (1) is not within IT and (2) will include a number of things currently on CIOs' plates, such as business continuity, and a security program-management office, as well as non-IT risk functions such as fraud and physical security. The path to this governance structure is being blazed by companies that are taking a coordinated approach to physical security, information security, and risk management because they believe bottom-line improvements come most easily when security is treated as a business process.
-- David Foote