Whither the IT organisation? Part 3: Information Security Management

Having mused on how change management and process management might fit in with the future role of the IT organisation in my last two posts, in the third and final posting on this topic I thought I would move my attention to an area somewhat closer to what IT professionals would generally consider home: information security.

At first glance this might appear to be a bit of a no-brainer: after all why wouldn’t IT be responsible for information security? However, I was interested to read this recent article from Computer Weekly suggesting that this might not be the case.

To start therefore, I think it is important to highlight the difference between information security and IT security. Although these topics are closely related, I believe that there are some important differences.

IT security, as I see it, is very much focused on ensuring the security of technology with, historically at least, a particular focus on securing the perimeter or boundary of the private IT territory of the organisation through the deployment of tools such as firewalls and access control technologies along with protection against threats such as viruses, malware, spam and so on. Information security, on the other hand, I would define as having a much broader scope, where technology is not the focus but a means to the end, the priority being the application of appropriate protection to the organisation’s various different types of information whether that is stored electronically (including on portable media) or on paper or even in individuals’ heads.

For me this distinction is very important as it changes the whole focus of attention. With the changes that are currently taking place in how IT is managed and delivered, particularly driven by, for example, cloud and the trend towards bring your own device, the old ‘fortress’ model of IT security is becoming increasingly redundant. To really become responsible for information security, means taking the lead in topics such defining how to evaluate risk and what protection to apply as well as considering issues such as the protection of physical records and, most importantly, taking the lead in the ongoing need to maintain a high level of awareness amongst all staff regarding this issue.

Is this somewhere where CIOs should go? Well, there are plenty of other stakeholders some of whom might also be in a position to take the lead, for example heads of corporate risk or governance, or even the people responsible for physical security of buildings. The actual information owners would of course also have an important role to play although it is not likely that any particular one of those would be dominant enough to set the overall agenda for this topic in any other very small organisations.

For me, however, the CIO is very strongly placed to take this responsibility. After all, If a CIO really wants to live up to the title of ‘chief information officer’ and genuinely operate in a senior leadership role, rather than just being a much more humble IT manager, then taking the lead on of all the issues around the management of corporate information, should be non-negotiable. This is reinforced by the fact that, in most modern organisations, the vast majority of information is stored on digital media, so the fit with the IT department is, if not perfect, probably better than anything else. Finally, in these days of the cloud, software as a service, bring your own device, business process as a service and so on, if IT doesn’t start taking ownership for something as fundamental as security, it will surely not be long before the need to have an IT department at all starts being seriously questioned.

To conclude, therefore, I have looked at three areas of activity that might be part of the IT organisation of the future: change management, process management and information security management. I think it is safe to that there no single simple answer as to whether and how responsibility for these topics might fit with the future IT organisations. All organisations are after all different and issues such as organisational culture and structure of the overall organisation within which IT exists all have impacts. Nevertheless to put it concisely, my conclusions as to whether IT should be aiming to take responsibility for these topics in the future are, respectively: possibly, probably and almost certainly.

But that’s just my view; do you agree? I was really interested to read the comments on my last to posts and my thanks go to those of you who commented. Do you also think IT is the right home for information security or could work another way, for example as the Computer Weekly article suggests, with a separate chief information security office reporting to legal and risk management? I’d, as ever, be fascinated to read your views.

About the author

Adam Davison MBCS CITP has an MSc in IT from the University of Aston and has filled a variety of senior IT strategy roles for organisations such as E.ON and Esso.

See his LinkedIn profile

See all posts by Adam Davison
June 2018

Search this blog