Sam Dekay

Who’s In Charge Here? The Problem of Information Security Governance

The effects of balkanization

These developments are not without merit.  For the past several years, IT and IS professionals have been informed that their objectives and processes must be “aligned” to meet the meet the needs of business.  This means that the organizational divides between business units, Information Security, and IT specialties (such as telecommunications and application programming) must be bridged.  Business managers must become knowledgeable concerning the security risks associated with their access needs, their applications, and the technical infrastructures supporting these applications.  Similarly, technologists must be sensitive to the security implications (including associated risks) of their coding practices, patching methodologies, network architecture designs, and other decisions.  The needs of all parties concerned-business areas, IT, and InfoSec-are best met when they collaborate, not when they function in isolated “silos” of self-interest.  Embedding information security professionals within business areas, IT units, or both, can assist that genuine collaboration will occur.  It seems that this trend is unlikely to reverse.

But perhaps we should return briefly to that somewhat nasty term, “self-interest.”  My 55-year-old friend is certainly not pleased that the decision to “embed” InfoSec throughout the organization has resulted in the elimination of his job.  Yet, when Information Security has ceased to be a centralized administrative entity, is there really a continued need for the ISO, CSO, or CISO?  At least one organization has determined that the response is “No.”  Maybe others will in the future (and possibly already have) make a similar determination.  Such a development may not betoken good things for the long-term career paths of information security professionals.

However, the dispersion of information security responsibilities across the organization chart has yet another potentially dangerous result-the loss of adequate governance.


  1. SecurityExec Aug 8, 2008 at 5:35 pm | Permalink

    I think it’s great that such an article has been written. Despite having a somewhat vested/biased interest on the topic (I am a security executive) I think there are some very relevant points that are compounding the problem of governance (and, ultimately, the overall effectiveness of information security.) Governance and accountability are arguably what’s needed most to help truly achieve better information security across the board. Unfortunately, as we’ve seen too often, the regulatory agencies, lawmakers, and industry itself shy away from establishing accountability. It’s much easier (politically) to continue to focus on the technology rather than address the real issue. Business leaders are always going to look for the path of least resistance – hence the reason we’re seeing a lot of companies revert to positioning security and risk managers/executives down the corporate ladder, usually back into the technology ranks. Until someone steps up (the regulators/agencies should have been leading the way on this long ago considering their increasing talk about the need to improve security of financial information) the business world simply isn’t going to accept more responsibility or accountability than it absolutely has to. That directly translates into security, privacy, and risk management reverting back to operational and technology-specific roles rather than being at the level needed for efficacy – closer to the executives and Boards of Directors.

  2. Bouch Aug 19, 2008 at 2:05 pm | Permalink

    I work for a federally funded research and development center that has to abide by a variety of government regulations, such as the NISPOM that clearly identifies roles within information security. In short, the ISSO’s are the hands on computer security folks separate from the regular IT staff. They report to the ISR’s who work on the policies, procedures, and certifications. The ISR’s are the pawns of the ISSM who oversees the entire security posture similar to a CISO. However, these government regulations are not enforced within the private sector. Hopefully, as corporations keep being infiltrated and sensitive customer information is leaked publicly, the citizenship will stand up for a universal information security standard for private corporations.

Post a Comment

Your email is never published nor shared. Required fields are marked *