Thursday, April 22, 2004

Hand Over Security

Hand Over Security:

Physical and information security have been converging, often under the control of IT. But companies are increasingly moving the role of policing security out of IT and into the hands of an independent CSO. Here's why you should consider doing the same.

BY CHRISTOPHER KOCH
CIO.com

Executive Summary

There is growing evidence that security responsibility should be independent of the IT department—survey data shows that companies with independent security functions enjoy more effective safeguards. With security reporting to IT, there is potential conflict of interest for the CIO, who might be tempted to give short shrift to security concerns in favor of getting IT projects in on time and under budget. Catching hackers requires the ability to think like a criminal, something IT employees are not trained to do. And, of course, there's the enormous IT workload that distracts from security concerns. On the other hand, even if security moves out of IT, accountability wouldn't necessarily go with it. CIOs might end up with little influence but would still have to answer when something went wrong. But at Capital IQ and Siemens Canada, responsibility for security has been successfully separated from IT. If that's not possible, security advocates say the responsible person must have the policy-based recourse to report to a higher authority than the CIO.