|
By Mel Duvall
At the start of the decade, when companies were just beginning to create organizations to combat a wide range of computer security threats, it was common for chief information officers to take on the dual role of CIO and chief security officer.
After all, they were usually the ones responsible for selecting and implementing the electronic commerce applications, firewalls, secure access gateways and network monitoring systems that exposed and guarded a company's critical information. That didn't mean, however, that they were best suited for the job.
In fact, in 2002 Giga Information Group analyst Steve Hunt was one of several analysts at the time who called on organizations to create a new C-level management position: a chief security officer (CSO) who would have responsibility not only for corporate information security, but also for physical security.
"Corporate security is more than so many technologies," he wrote at the time. "It involves physical, psychological and legal aspects, such as training, encouraging, enforcing and prosecuting. It involves strategic planning, skilled negotiating and practical problem solving. Only an individual with strong business savvy and security knowledge can oversee security planning, implement measures appropriate to business requirements."
In the half-a-decade since that report was written, much has changed. And then again, much hasn't.
According to a survey released in September by consulting firm PricewaterhouseCoopers, in partnership with CIO Magazine, it appears that a majority of organizations now have a security chief (either with the chief security officer or chief information security officer title) in place—60% in 2007, compared with 43% in 2006.
That doesn't mean the CIO has been taken out of the picture. To the contrary, the survey found 38% of CSOs or CISOs now report to the CIO, compared with 33% in 2006, and an additional 15% report to the chief technology officer, compared with 6% in 2006. Security chiefs also had dotted line reporting responsibilities to such areas as legal, human resources, and finance, but combined, the survey indicates 53% of security chiefs report to IT.
In prior years, the survey had shown a steady shift away from having security chiefs report to the CIO or CTO.
IT also holds increasing sway over the purse strings for security, with 65% of information security budgets coming directly out of the IT budget, compared with 48% in 2006.
What appears to be happening, says Scott Roe, president of Corporate Risk Solutions, a security consulting firm that specializes in helping companies develop and implement security strategies, is that as security systems become more deeply integrated into the corporate network, CIOs are being asked to resume overall responsibility for security. At the start of the decade, many security systems were standalone offerings, often built on proprietary platforms that could not communicate well with other security software. Now, those systems are very much built on standard protocols and installed into the fabric of the network.
"The bottom line is this level of integration requires the direct involvement of IT," says Roe, a former U.S. Army counterintelligence special agent. And because of the level of integration required, CIOs are also regaining control over buying decisions.
Roe, who consults with a number of corporations as well as government agencies and utility companies, says he sees a wide range of reporting practices in place today. Companies involved more directly in technology tend to have the CSO report to the CIO. Those involved in finance or utilities often have the CSO report to an audit committee with a dotted line reporting structures to IT and the CEO.
At Caregroup Healthcare System in Boston, for example, the CSO reports to the CIO. At BT Radianz, a New York company that provides a market trading system for brokerages, CSO Lloyd Hession reports to the CEO. At insurer Allstate of Northbrook, Ill., CISO Kim Van Nostern manages a team of about 100 security professionals, and works closely with the company's chief privacy officer. However, she also reports to CIO Catherine Brune.
Two things are certain, however, says Roe. "More companies are moving toward having a separate security working group or organization, and the head of that organization is reporting to a C-level executive," be it the CIO, CFO or CEO.
Responding to Incidents
Beyond the big picture question of who the CSO should report to or who controls the security budget, companies must also wrestle with the more street-level question of what happens in the event of a specific security breach or incident. When an employee is found to be viewing pornography or downloading sensitive financial documents onto a memory device against company policy, or when a hacker is found to have infiltrated the network and stolen sensitive customer information, what is the chain of command and processes for responding to the incident?
In the case of the employee, is it reported directly to human resources, or first through the CSO to the CIO, to legal and perhaps, finally, to HR?
"This is a question we get asked all the time—who should the [incident response team] report to," says Robin Ruefle, a member of the technical staff at the Carnegie Mellon Software Engineering Institute Computer Emergency Response Team (CERT). Ruefle's team is involved in developing security best practices for organizations, including creating Computer Security Incident Response Teams (CSIRTs), essentially teams that can respond to security threats and incidents when they happen. "The answer we always give is: it depends," says Ruefle.
"So much ties into what is an organization's current structure, what is its mission and goals, what's already in place . . .what you really have to look at is what fits in that organization."
CERT has a guide on its Web site to assist organizations in establishing CSIRTS. The guide was last updated in February 2006, but Ruefle says it remains current. One area that needs to be added, however, is having a process in place for reporting incidents to law enforcement when necessary. For example, if an employee is found to be accessing child pornography, what policies and processes are in place to bring the matter to the attention of law enforcement?
CSIRTs are often initially formed within a company's IT department, because that is where the expertise can be found, says Ruefle. Over time, however, CSIRTs tend to evolve to take on new structures, often reporting to CSOs or multiple executives such as the CEO, CFO or director of human resources.
"We've seen incident management capabilities show up in IT, we've seen it in audits and compliance, we've seen it as a stand alone organization, and we've seen it in risk management," she says. "It's not so important where it shows up, but how it functions within that organizational structure. It has to be able to cooperate and coordinate with the rest of the organization. And in the end that comes down to developing a well defined set of policies and processes."
|
