Sam Dekay

Who’s In Charge Here? The Problem of Information Security Governance

A few months ago, I learned that the ISO of a large financial services institution informed his staff that it was unnecessary to obtain the CGEIT (Certified in the Governance of Enterprise IT) certification, newly offered by the Information Systems Audit and Control Association (ISACA).  “Governance,” he announced, “has nothing to with information security.”  And, indeed, certain trends within the field seem to confirm this view.  For many years, organizations have outsourced various access control functions (such as password changes) to Help Desks and to offshore service providers.  However, to an increasing extent, large organizations are assigning specific information security functions-including  risk management, network security, and policy development-to other departments within the broader IT organization.  In some cases, information security roles are embedded within business units.  In short, InfoSec is becoming balkanized.  And, it seems, little thought is being given as to how dispersed security functions comprise a coherent security program.

To some extent, this is merely a continuation of several long-term historical trends.  Information Security has, for many decades, been an “orphan of the corporate org chart.”  Also, the field has never developed a sufficiently stable identity to establish well defined functions that must be performed by a specific, centralized administrative unit.  In a 2005 study published by the Aberdeen Group, governance was identified as a chronic weakness of most information security programs:

Although 26% of all firms in the world are performing at best-in-class levels when it comes to managing security, less than 10% are operating governance programs that are at best-in-class levels.  By contrast, 26% are best-in-class for network and infrastructure, 20% are operating best-in-class information and access programs, and 23% are operating Sarbanes-Oxley programs that are at best-in-class levels.

However, the increasing tendency to disperse information security functions throughout the organization will only exacerbate the already problematic governance issue.  InfoSec is becoming not merely an “orphan” of the org chart; it seems actually to be disappearing and replaced by various information security “functions” scattered throughout the organization.


  1. SecurityExec Aug 8, 2008 at 5:35 pm | Permalink

    I think it’s great that such an article has been written. Despite having a somewhat vested/biased interest on the topic (I am a security executive) I think there are some very relevant points that are compounding the problem of governance (and, ultimately, the overall effectiveness of information security.) Governance and accountability are arguably what’s needed most to help truly achieve better information security across the board. Unfortunately, as we’ve seen too often, the regulatory agencies, lawmakers, and industry itself shy away from establishing accountability. It’s much easier (politically) to continue to focus on the technology rather than address the real issue. Business leaders are always going to look for the path of least resistance – hence the reason we’re seeing a lot of companies revert to positioning security and risk managers/executives down the corporate ladder, usually back into the technology ranks. Until someone steps up (the regulators/agencies should have been leading the way on this long ago considering their increasing talk about the need to improve security of financial information) the business world simply isn’t going to accept more responsibility or accountability than it absolutely has to. That directly translates into security, privacy, and risk management reverting back to operational and technology-specific roles rather than being at the level needed for efficacy – closer to the executives and Boards of Directors.

  2. Bouch Aug 19, 2008 at 2:05 pm | Permalink

    I work for a federally funded research and development center that has to abide by a variety of government regulations, such as the NISPOM that clearly identifies roles within information security. In short, the ISSO’s are the hands on computer security folks separate from the regular IT staff. They report to the ISR’s who work on the policies, procedures, and certifications. The ISR’s are the pawns of the ISSM who oversees the entire security posture similar to a CISO. However, these government regulations are not enforced within the private sector. Hopefully, as corporations keep being infiltrated and sensitive customer information is leaked publicly, the citizenship will stand up for a universal information security standard for private corporations.

Post a Comment

Your email is never published nor shared. Required fields are marked *