A long-time friend of mine recently called with surprising, and sad, news. “I’ve been laid off due to poor profits,” he said. “I receive eight-month’s severance. But if, at the end of eight months, I tell my ex-employer that I’m retired, I’ll get family medical benefits until I turn 65.”
My friend is 55, and has been employed in the field of Information Security for more than two decades. Until a few days before the phone call, he had served as CSO at a major manufacturing company.
I asked him how the function of CSO would be replaced by his former employer. He said that the job would be delegated to another senior executive in IT. “And the other security roles will also be reassigned-network security will be moved to Telecommunications; policy and procedures will transfer to Communications.” In other words, the central Information Security unit would be dissolved and its functions incorporated into several existing operational, technical, and other areas. “But how,” I wondered aloud, “will all these areas work together to create something resembling a consistent information security program? Where’s the managerial glue to hold it together? Who’s in charge?” My friend replied, quite simply, “I don’t know.”
This single telephone conversation is one among many indicators that, to an increasing extent, the problem of governance continues to haunt the field of information security.