SmartAdvice: Map Out An Organizational Structure For Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

01:47 PM

SmartAdvice: Map Out An Organizational Structure For Security

Treat security as a business process, The Advisory Council says. Also, abandoning IE won't end security worries, and learn how to protect information in tiny USB storage devices.

Editor's Note: Welcome to SmartAdvice, a weekly column by The Advisory Council (TAC), an advisory service firm. The feature answers three questions of core interest to you, ranging from career advice to enterprise strategies to how to deal with vendors. Submit questions directly to [email protected]

Question A: What organizational structure would be most effective for information-security governance?

Our advice: Information-security experts are a long way from establishing best practices in organizing security: Chief security officers variously advocate security reporting to facilities, operations, legal, IT, and even human resources.

Ultimately (and legally) the board of directors is responsible for protecting the company's assets, but someone has to keep the board informed about the risks the company is facing from security threats. This should be the job of a chief security officer. Unfortunately, they are rare and almost always too low on the organizational chart to effectively interact with the board, and reporting structures often blunt and filter (even suppress) those messages before they reach the board.

Related Links

Consider Information Security To Be An Integral Part Of Your Business

Business Leaders And IT Security--Will The Two Ever Have A Meeting Of The Minds?

The New CISO

So right away the organizational-structure issue comes down to which C-level executive your top security person reports to. There seems to be no dominant rule for companies placing the head of security (physical and/or information) above the chief information officer, reporting to the CIO, or several levels below the CIO. Corporate culture appears to be the biggest factor, but also industry type. Consider the following structures and their consequences:

Information security reports to the CIO. CIOs want to be seen as value-adders, focused on productivity and profits, and cannot afford to be branded as "inhibitors." This mind-set can cause CIOs to delay reporting potential security problems upward.

Information security reports to the chief operating officer. Chief operating officers are concerned about delivering products and services, resolving customer issues, and increasing sales. Instead of protecting the company's larger goals, the focus is too often on finding solutions for customer complaints, continuously monitoring satisfaction, and fighting for market share.

Information security reports to the CFO. CFOs all too frequently act as if the best way to grow profits is to cut costs. When they oversee a security organization, they evaluate security budgetary issues by scrutinizing every capital expenditure or head-count increase.

Industry and organizational size have an influence. Retail and pharmaceutical industries are most content with security chiefs under the direction of the CIO, while some other industries are migrating to a corporate (i.e., outside of IT) security-management structure. In midsize to large organizations where the emphasis is on technical measures mitigating technical threats, the CIO is usually the security boss.

An effective security organization hinges on collaboration among the CFO, auditors, legal staff, business-unit managers, corporate and physical security teams, IT senior managers, midlevel administrators, and the entire range of corporate stakeholders, whose awareness of and participation in a security program is essential. For information security, this means a structure where the security head's reporting relationship is an enabler, not a deterrent, to integrating the activities of primarily the IT, operations, and corporate auditing groups. It's the opposite of the fragmented security management norm at many companies today. Until top management recognizes security as a critical function with strategic impact, security of all sorts will continue to get shuffled around and fail to obtain adequate resources.

Security is rapidly evolving into a critical shared service within many organizations, with the head of corporate security increasingly taking on responsibilities for information security. Within five years most organizations will have a risk-management function that (1) is not within IT and (2) will include a number of things currently on CIOs' plates, such as business continuity, and a security program-management office, as well as non-IT risk functions such as fraud and physical security. The path to this governance structure is being blazed by companies that are taking a coordinated approach to physical security, information security, and risk management because they believe bottom-line improvements come most easily when security is treated as a business process.

-- David Foote

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
2019 State of DevOps
2019 State of DevOps
DevOps is needed in today's business environment, where improved application security is essential and users demand more applications, services, and features fast. We sought to see where DevOps adoption and deployment stand, this report summarizes our survey findings. Find out what the survey revealed today.
How to Land a Job in Cloud Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/19/2019
How to Convince Wary Customers to Share Personal Information
John Edwards, Technology Journalist & Author,  6/17/2019
The Art and Science of Robot Wrangling in the AI Era
Guest Commentary, Guest Commentary,  6/11/2019
Register for InformationWeek Newsletters
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll