Is it the CIO's remit - or is it time to bring in a specialist?
...those with the best security practices," says Winton, who believes organisations are better at responding to threats if they have an executive that is responsible for security. It is a belief that chimes with Brian Burton, head of IT security at Vodafone UK.
"You have to go up a couple of floors to handle the security threat. You can handle the data, lock devices and wipe information. But it's all about how your business adapts to the fact that people are now using non-standard devices," he says.
"You can't single out any particular device and you have to offer the same secure platform for multiple forms of communication. There isn't much new to do - it's about reusing your security skills to sell ideas to your own manager. It's like when someone screams in a movie and another person slaps them in the face to get them back in order."
The force of that slap depends on executive-level awareness. David Bason, IS director at legal firm Shoosmiths, says information integrity is critical to his organisation, which is frequently subjected to audits from banks and other financial businesses.
To ensure the necessary controls are in place, the firm has recently acquired ISO 27001 information security accreditation. Bason says organisations also need to comply with various regulatory constraints, including the Data Protection Act and the Payment Card Industry Data Security Standard, and to be clear on information retention and deletion policies.
"With fines of up to £500,000, there should be no difficulty in obtaining the boards' attention," says Bason, who also believes that best practice corporate governance should include the management of risk through a specialist committee.
Such a committee should manage the company's propensity to risk, driving task prioritisation and allocating money. The CIO must be integral to such decisions. If they are, concludes Bason, the need for a dedicated CISO is reduced.
"There is a need for a serious focus on information security, but not a need for a CISO," he says. "Data security should be part of the CIO's remit and incorporated into the overall information management strategy."