Why the CIO should 'own' IT security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.techrepublic.com/article/why-the-cio-should-own-it-security/

IT security has been in the spotlight recently, culminating with several
high-profile CIOs losing their jobs over security breaches. Many inside and
outside the CIO office have been suggesting that IT security is too complex
a discipline to be managed by the CIO, who is also tasked with everything
from managing infrastructure, to setting technology strategy, to overseeing
massive software rollouts. Do we need yet another C-level position
dedicated to IT security, or should this remain solely in the purview of
the CIO?

Best person for the job or responsibility dodge?

> From the CIO's position, there are two compelling arguments for moving IT
security out of the CIO's scope of accountability.

The first contention is that IT security is a specialist position, which no
effective generalist can ever hope to fully understand. There's a fair
argument that a CIO is simply not qualified to determine whether a security
incident is a bored teenager or the first sign of a multi-billion dollar
breach. However, the average CIO is also unlikely to be qualified to
discuss the nuances of network routing, high-performance application
design, or virtualization, areas that few CIOs would suggest belong outside
the walls of IT.

This leads into the second, less noble reason some CIOs are suggesting that
IT security belongs outside the CIO's role: dodging a potential bullet. As
recent events have shown, the CIO is often a casualty of a high-profile
security breach, and as the person ultimately accountable for security,
this is arguably a legitimate consequence if IT security falls under the
CIO's purview.

What's the alternative?

Some have suggested that another C-level title, dedicated exclusively to IT
security or combined with other risk areas, is the right place for IT
security. Some companies already employ Chief Risk Officers, or Chief
Security Officers, and there's a reasonable argument to be made that IT
security belongs under a broader security or risk umbrella. The major
problem with this approach is that it separates security from
infrastructure and application decisions, creating a risk that IT can
happily deploy solutions and "someone else" can come in and apply security
as an afterthought. Just as it would be difficult to "retrofit" security to
a bank with no vault, locks, or closed-circuit TV, it's equally difficult
to apply security to applications and infrastructure that were built
without any consideration for security.

Certainly a dedicated security organization could insert itself into
build-and-buy discussions, and attempt to inject security into appropriate
conversations, but this makes for a burdensome process, and one that is
likely to fail when an application slips by a standalone security
organization.

Owned by the "right" IT shop

What is likely the source of much of the griping around IT being on the
hook for security is that the average IT shop is not correctly staffed or
budgeted to support a comprehensive response to security. Like any division
of the company, IT never has enough money or staff, but it also does a poor
job of articulating the risks associated with a data breach and developing
an appropriate response plan. Too much of IT's focus on security has been
related to bells and whistles, with fancy appliances and vendor promises
replacing diligent staffing and appropriate human oversight.

There's no shame in saying that you've under-anticipated the risk to
critical company data, and illustrating the costs of a major breach
compared to the cost of mitigating such a breach. Like many aspects of
life, security is a balancing act between allowing people to productively
complete their job duties and creating the ultimate, high-security
infrastructure, which is likely so cumbersome as to not even be usable.

The silver lining of the recent press releases about high profile security
failings is that you can likely secure appropriate funding, even if you're
unable to articulate the risks and mitigation strategies required. However,
this is a short-term phenomenon, and hiring the wrong people or trusting in
the latest whizz-bang security appliance may have your head on the
proverbial chopping block in the near future.

The bottom line

Unless you're prepared to deal with another layer of overhead, suggesting
that IT security be pushed away from IT is likely to complicate your life
with additional administrative overhead and finger-pointing should a breach
occur. While you cannot be expected to know every nuance of IT security, as
a leader you are expected to staff your organization with quality people,
and build a business case to hire and retain talent that mitigates business
risk.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!