Should IT security be the direct responsibility of the CIO? After exploring the arguments of both sides, Patrick Gray explains why his answer to this question is yes.
IT security has been in the spotlight recently, culminating with several high-profile CIOs losing their jobs over security breaches. Many inside and outside the CIO office have been suggesting that IT security is too complex a discipline to be managed by the CIO, who is also tasked with everything from managing infrastructure, to setting technology strategy, to overseeing massive software rollouts. Do we need yet another C-level position dedicated to IT security, or should this remain solely in the purview of the CIO?
Best person for the job or responsibility dodge?
From the CIO's position, there are two compelling arguments for moving IT security out of the CIO's scope of accountability.
The first contention is that IT security is a specialist position, which no effective generalist can ever hope to fully understand. There's a fair argument that a CIO is simply not qualified to determine whether a security incident is a bored teenager or the first sign of a multi-billion dollar breach. However, the average CIO is also unlikely to be qualified to discuss the nuances of network routing, high-performance application design, or virtualization, areas that few CIOs would suggest belong outside the walls of IT.
This leads into the second, less noble reason some CIOs are suggesting that IT security belongs outside the CIO's role: dodging a potential bullet. As recent events have shown, the CIO is often a casualty of a high-profile security breach, and as the person ultimately accountable for security, this is arguably a legitimate consequence if IT security falls under the CIO's purview.
What's the alternative?
Some have suggested that another C-level title, dedicated exclusively to IT security or combined with other risk areas, is the right place for IT security. Some companies already employ Chief Risk Officers, or Chief Security Officers, and there's a reasonable argument to be made that IT security belongs under a broader security or risk umbrella. The major problem with this approach is that it separates security from infrastructure and application decisions, creating a risk that IT can happily deploy solutions and "someone else" can come in and apply security as an afterthought. Just as it would be difficult to "retrofit" security to a bank with no vault, locks, or closed-circuit TV, it's equally difficult to apply security to applications and infrastructure that were built without any consideration for security.
Certainly a dedicated security organization could insert itself into build-and-buy discussions, and attempt to inject security into appropriate conversations, but this makes for a burdensome process, and one that is likely to fail when an application slips by a standalone security organization.
Owned by the "right" IT shop
What is likely the source of much of the griping around IT being on the hook for security is that the average IT shop is not correctly staffed or budgeted to support a comprehensive response to security. Like any division of the company, IT never has enough money or staff, but it also does a poor job of articulating the risks associated with a data breach and developing an appropriate response plan. Too much of IT's focus on security has been related to bells and whistles, with fancy appliances and vendor promises replacing diligent staffing and appropriate human oversight.
There's no shame in saying that you've under-anticipated the risk to critical company data, and illustrating the costs of a major breach compared to the cost of mitigating such a breach. Like many aspects of life, security is a balancing act between allowing people to productively complete their job duties and creating the ultimate, high-security infrastructure, which is likely so cumbersome as to not even be usable.
The silver lining of the recent press releases about high profile security failings is that you can likely secure appropriate funding, even if you're unable to articulate the risks and mitigation strategies required. However, this is a short-term phenomenon, and hiring the wrong people or trusting in the latest whizz-bang security appliance may have your head on the proverbial chopping block in the near future.
The bottom line
Unless you're prepared to deal with another layer of overhead, suggesting that IT security be pushed away from IT is likely to complicate your life with additional administrative overhead and finger-pointing should a breach occur. While you cannot be expected to know every nuance of IT security, as a leader you are expected to staff your organization with quality people, and build a business case to hire and retain talent that mitigates business risk.
- A former CIO's take on Target CIO resigning after massive data breach
- Can CISOs become more effective as IT decision makers?
- C-level execs need to rethink IT security
- C-level execs need to end disconnect to improve IT security
- The State of IT Jobs: Winners and Losers (ZDNet/TechRepublic Special Feature)