Information Security is not quite I.T.’s responsibility
Well yes, in the Real World it is too often IT’s responsibility to look after business continuity and information security. But that’s because IT (Information Technology) is a cost center and too often powerless in an organization.
But it shouldn’t be IT’s job and in organizations that follow best industry practices, as defined for instance in the Intenational Standard Organization’s ISO17799 guidelines, you’ll find that the Information Security Officer (the InfoSec for short ) does not report to anyone in the Information Technology department.
There’s a good reason for that. IT is a cost. True, spending on IT increases productivity and leads to costs cuts in other departments, but IT activities are billed to the revenue centers much the same way as premises costs for rent and utilities are billed, often following some headcount formula. IT managers therefore have the double mandate of providing productive tools at the lowest possible cost.
Information security and related activities require time and effort that an IT manager prefers naturally enough to devote to productive activities. In the cost-benefit analysis of any IT project, mitigating security risk leads to costs. If the Information Security Officer reports to the IT manager, the manager will be tempted to tell the InfoSec to tone down an analysis or to suppress a finding. It’s important therefore for the Information Security Officer to be independent.
Let’s be clear about one thing. IT managers are often right to avoid implementing security features because they are too costly or inconvenient to use. However, the security concerns must be addressed and the decision process must be transparent. To produce a correct cost/benefit analysis, the security risk must be presented, not squashed.
Copyright 2008 Vincent Poirier
