Information Security: Orphan of the Org Chart?

In the 1990s, many Infosec professionals frequently played a game called “Where Do We Belong?” The game consisted of guessing where, on a corporate organization chart, the Information Security (or “Data Security,” as it was often called then) function ideally belonged. Some claimed that Information Security should report to the CIO (or Chief Technology Officer, in 90s-speak) because, after all, our business is concerned with providing technical controls. Other more audacious players insisted that IS should be a direct report to the CEO. The argument was that Information Security’s reporting to a CIO represented a conflict of interest because the Chief Information Officer could not fairly police his or her own technicians. Only a totally neutral party—the CEO—had sufficient clout to enforce information security policies upon technicians.

But it always remained just a game. I never knew a single colleague whose IS function reported to a CEO. I did know of several who were responsible directly to a CIO. Oddly, however, this always seemed a temporary affair. Inevitably, the Chief Information Officer would relegate Information Security to another reporting line.

Some colleagues had truly bizarre reports: One manager of Information Security was responsible to a Senior Vice President of Finance; another found herself linked to a box on the org chart associated with a “Director of Quality Assurance.” I had a few friends who reported to Vice Presidents for Special Projects—one project being the Y2K conversion. Finally, I knew of an Information Security manager whose function became part of the Internal Audit Division!

The situation has really not changed since the days we played “Where Do We Belong?” Organizations continue to rearrange Information Security on reporting charts, not really certain where it belongs. Why has IS remained the perpetual orphan of the org chart? Why does it seem to lack a natural home?

I believe there are two major factors that have contributed to this homelessness. First, Information Security is really a confederation of numerous disparate, and sometimes conflicting, functions. These responsibilities are loosely unified under the mandate of protecting the “confidentiality, integrity, and availability” of data. Second, IS has an unfortunate tendency to attract audit findings as a magnet draws iron filings. In practical terms, this means that senior executives responsible for Information Security are in the unenviable position of responding to ceaseless reports from internal and external auditors, regulatory agencies, and compliance officers. This is not the sort of work that is vastly appealing to the average CIO.

Concerning the first factor, Information Security departments have traditionally encompassed an operational and a control function. Its major operational duty is access management—the creation, deletion, and modification of user and system privileges. (Years ago, the task of creating and changing passwords was also an operational function; this task, however, has now largely migrated to in- and outsourced Help Desks.) The control functions of Information Security are quite different: Developing policies and procedures, analyzing forensic evidence associated with possible incidents, writing and reviewing RFPs, conducing risk assessments of existing and soon-to-be-purchased software, monitoring logs, conducting oversight for service providers, implementing security awareness programs, and innumerable other responsibilities.

Now I ask: Where, on the org chart, does this conglomeration of operational and control functions find a natural home? Obviously, there are many candidates—Information Technology, Audit, Compliance, Privacy—but none are really a natural fit. Many organizations have now determined that the access management function can be established as an autonomous function apart from the control functions of Information Security. However, the remaining control functions are, by themselves, sufficiently diverse that they do not cohere as a single function with its own readily discernible identity.

And we can’t forget the second factor. Throughout the 1980s and ‘90s, internal auditors focused upon information security as their “special” concern. I remember that each month would bring a new audit: January would commence an investigation of Unix user privileges; February would place MVS under the audit microscope; March would subject Infosec policies to intense scrutiny. No month would pass without the arrival of a new Letter of Introduction announcing yet another investigation. Of course, each audit would yield a harvest of findings which, in turn, would require a series of new meetings and the implementation of additional mitigating controls. As this was occurring, external auditors and various governmental examiners would join the parade of investigators. The continual emphasis upon deficiencies seemed to bestow an aura of perpetual inadequacy upon the information security function. Managers were frequently asked to resign. In other cases, senior executives (such as the CIOs mentioned above) were able to convince their supervisors that the Information Security function should, perhaps, report elsewhere. And a new home would eventually be found for InfoSec.

Recently, there have been some encouraging developments. Major auditing firms have concluded that Information Security is now concerned essentially with assessing risk and, therefore, may at last find a long-sought home beneath the “Risk Management” umbrella. Some Infosec professionals believe this is a temporary development and the new emphasis upon risk is actually a trend that may last five years or so.

And so we continue to ask: “Where Do We Belong?”

One Comment

  1. Doug Copley Apr 21, 2008 at 12:30 am | Permalink

    I work at a fairly large financial services company and we’re struggling with this question right now. We’re considering combining the policy & awareness functions of 3 groups into one: information security, records management and privacy. Together they may equate to something called the Office of Information Assurance. Where they should report is the biggest question. The most logical place in my mind so far is either the Enterprise Risk Office (most logical), or Legal (records mgmt and privacy are already there).

    I’d be grateful to any other financial companies who’d like to chime in with their current organizational placement.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*