Who’s In Charge Here? The Problem of Information Security Governance

A long-time friend of mine recently called with surprising, and sad, news.  “I’ve been laid off due to poor profits,” he said.  “I receive eight-month’s severance.  But if, at the end of eight months, I tell my ex-employer that I’m retired, I’ll get family medical benefits until I turn 65.”

My friend is 55, and has been employed in the field of Information Security for more than two decades.  Until a few days before the phone call, he had served as CSO at a major manufacturing company.

I asked him how the function of CSO would be replaced by his former employer.  He said that the job would be delegated to another senior executive in IT.  “And the other security roles will also be reassigned-network security will be moved to Telecommunications; policy and procedures will transfer to Communications.”  In other words, the central Information Security unit would be dissolved and its functions incorporated into several existing operational, technical, and other areas.  “But how,” I wondered aloud, “will all these areas work together to create something resembling a consistent information security program?  Where’s the managerial glue to hold it together?  Who’s in charge?”  My friend replied, quite simply, “I don’t know.”

This single telephone conversation is one among many indicators that, to an increasing extent, the problem of governance continues to haunt the field of information security.


  1. SecurityExec Aug 8, 2008 at 5:35 pm | Permalink

    I think it’s great that such an article has been written. Despite having a somewhat vested/biased interest on the topic (I am a security executive) I think there are some very relevant points that are compounding the problem of governance (and, ultimately, the overall effectiveness of information security.) Governance and accountability are arguably what’s needed most to help truly achieve better information security across the board. Unfortunately, as we’ve seen too often, the regulatory agencies, lawmakers, and industry itself shy away from establishing accountability. It’s much easier (politically) to continue to focus on the technology rather than address the real issue. Business leaders are always going to look for the path of least resistance – hence the reason we’re seeing a lot of companies revert to positioning security and risk managers/executives down the corporate ladder, usually back into the technology ranks. Until someone steps up (the regulators/agencies should have been leading the way on this long ago considering their increasing talk about the need to improve security of financial information) the business world simply isn’t going to accept more responsibility or accountability than it absolutely has to. That directly translates into security, privacy, and risk management reverting back to operational and technology-specific roles rather than being at the level needed for efficacy – closer to the executives and Boards of Directors.

  2. Bouch Aug 19, 2008 at 2:05 pm | Permalink

    I work for a federally funded research and development center that has to abide by a variety of government regulations, such as the NISPOM that clearly identifies roles within information security. In short, the ISSO’s are the hands on computer security folks separate from the regular IT staff. They report to the ISR’s who work on the policies, procedures, and certifications. The ISR’s are the pawns of the ISSM who oversees the entire security posture similar to a CISO. However, these government regulations are not enforced within the private sector. Hopefully, as corporations keep being infiltrated and sensitive customer information is leaked publicly, the citizenship will stand up for a universal information security standard for private corporations.

Post a Comment

Your email is never published nor shared. Required fields are marked *