informa
/
2 min read
Commentary

Should The Security Chief Report To Someone Outside IT?

McAfee CEO David DeWalt sees more companies are having the chief information security officer report to someone other than the CIO. The reasoning is security involves much more than data security-and that IT needs a watchdog over its attempts to secure information.
McAfee CEO David DeWalt sees more companies are having the chief information security officer report to someone other than the CIO. The reasoning is security involves much more than data security-and that IT needs a watchdog over its attempts to secure information.DeWalt spoke at the InformationWeek 500 Conference in Tucson Tuesday, spotlighting the five broad trends he sees in security. In a conversation after his keynote, DeWalt spotlighted one other change, with the CISO increasingly reporting to the CFO or another executive.

One main reason is that more companies are putting a single executive in charge of information and physical security, DeWalt said. Some of the biggest security problems relate to human resource issues: getting a laptop back and security turned off for departing employees, hiring the right people and doing appropriate background checks. Another reason is companies feeling like they need someone in a watchdog role around IT's efforts to protect information, almost like an audit or compliance function.

DeWalt knows this doesn't sit well with many CIOs, who feel this is taking control and authority away from them. His recommendation, and what he does at McAfee, is dual reporting, where the CISO reports to the CIO and to him as CEO.

What do you think? Is this another example of chipping away at CIO influence and authority , or a common sense approach given the expanding view of what company security means?