Whither the IT organisation? Part 3: Information Security Management

Having mused on how change management and process management might fit in with the future role of the IT organisation in my last two posts, in the third and final posting on this topic I thought I would move my attention to an area somewhat closer to what IT professionals would generally consider home: information security.

At first glance this might appear to be a bit of a no-brainer: after all why wouldn’t IT be responsible for information security? However, I was interested to read this recent article from Computer Weekly suggesting that this might not be the case.

To start therefore, I think it is important to highlight the difference between information security and IT security. Although these topics are closely related, I believe that there are some important differences.

IT security, as I see it, is very much focused on ensuring the security of technology with, historically at least, a particular focus on securing the perimeter or boundary of the private IT territory of the organisation through the deployment of tools such as firewalls and access control technologies along with protection against threats such as viruses, malware, spam and so on. Information security, on the other hand, I would define as having a much broader scope, where technology is not the focus but a means to the end, the priority being the application of appropriate protection to the organisation’s various different types of information whether that is stored electronically (including on portable media) or on paper or even in individuals’ heads.

For me this distinction is very important as it changes the whole focus of attention. With the changes that are currently taking place in how IT is managed and delivered, particularly driven by, for example, cloud and the trend towards bring your own device, the old ‘fortress’ model of IT security is becoming increasingly redundant. To really become responsible for information security, means taking the lead in topics such defining how to evaluate risk and what protection to apply as well as considering issues such as the protection of physical records and, most importantly, taking the lead in the ongoing need to maintain a high level of awareness amongst all staff regarding this issue.

Is this somewhere where CIOs should go? Well, there are plenty of other stakeholders some of whom might also be in a position to take the lead, for example heads of corporate risk or governance, or even the people responsible for physical security of buildings. The actual information owners would of course also have an important role to play although it is not likely that any particular one of those would be dominant enough to set the overall agenda for this topic in any other very small organisations.

For me, however, the CIO is very strongly placed to take this responsibility. After all, If a CIO really wants to live up to the title of ‘chief information officer’ and genuinely operate in a senior leadership role, rather than just being a much more humble IT manager, then taking the lead on of all the issues around the management of corporate information, should be non-negotiable. This is reinforced by the fact that, in most modern organisations, the vast majority of information is stored on digital media, so the fit with the IT department is, if not perfect, probably better than anything else. Finally, in these days of the cloud, software as a service, bring your own device, business process as a service and so on, if IT doesn’t start taking ownership for something as fundamental as security, it will surely not be long before the need to have an IT department at all starts being seriously questioned.

To conclude, therefore, I have looked at three areas of activity that might be part of the IT organisation of the future: change management, process management and information security management. I think it is safe to that there no single simple answer as to whether and how responsibility for these topics might fit with the future IT organisations. All organisations are after all different and issues such as organisational culture and structure of the overall organisation within which IT exists all have impacts. Nevertheless to put it concisely, my conclusions as to whether IT should be aiming to take responsibility for these topics in the future are, respectively: possibly, probably and almost certainly.

But that’s just my view; do you agree? I was really interested to read the comments on my last to posts and my thanks go to those of you who commented. Do you also think IT is the right home for information security or could work another way, for example as the Computer Weekly article suggests, with a separate chief information security office reporting to legal and risk management? I’d, as ever, be fascinated to read your views.

Comments (3)

Leave Comment
  • 1
    Louis Emmanuel wrote on 28th Jun 2012

    Moat often times we too bothered being concerned about the power tussle in the corporate world and for get the matter on Ground.

    Wether security lies to be managed by IT department or a Risk management department does not matter. What matters is having the capable people on board in organizations to see impeding risk (security) and deal with it. Having the right set of people with technical know-how and experience is what matters in the end. Businesses are inot interested in IT department or Risk Management dempartment. What business are interested is about turning a profit while thier coporate assets remains secured.

    IT is all but just a vital business tool and busness are more interested in how much impart it makes not how much control IT has.

    To summarize, It does not matter wether IT is in charge or Legal Risj and Management. Every corporate culture is different and businesses should go with what works best for them and delivers result. If IT works greater some organization great, if Legal and Risk Management work more for some better.
    Remember no two businesses are the same even if they are in the same vertical market

    Report Comment

  • 2
    Dr Nic Yannacopoulos wrote on 28th Jun 2012

    Information Security is also part of Information Management at large; i.e. part of the discipline of making decisions of what to store and why, the governance of access to information and audits, the allowed usage of personalised information, etc. Technology is only the infrastructure for Information Management.

    Report Comment

  • 3
    John Sherwood FBCS CITP wrote on 28th Jun 2012

    In my view it matters a great deal who is in charge of information security management (and also IT security management). Without an adequate governance model nothing will happen. Ultimately information risk, as a sub-set of operational risk, must be owned by the business stakeholders, and so we need a governance model that enables that. That leads us to the concept of 'security architecture' - how 'security' and 'risk management' are seen as an integral part of running a business - not something optional on the side. For those of you with a deeper interest in this topic I recommend that you read the white paper from the Open Group / SABSA Institute downloadable free from https://www2.opengroup.org/ogsys/jsp/publications/PublicationDetails.jsp?publicationid=12449

    Report Comment

Post a comment

About the author

Adam Davison MBCS CITP has an MSc in IT from the University of Aston and has filled a variety of senior IT strategy roles for organisations such as E.ON and Esso.

See his LinkedIn profile

See all posts by Adam Davison

Search this blog

February 2018