Thu, April 15, 2004 — CIO — For 40 years there has been little reason for anything computer related to fall outside IT’s command. But that era is coming to an end. The evolving and increasingly important role of information security requires the background of a geek and the instincts of a cop. Information security crashes together two functions: traditional corporate security and IT. The ex-cops over in corporate security who watch the doors and suspicious behavior are using more and more technology to get their jobs done. And the stakes in an IT security breach have risen so high that IT people who know firewalls but can’t fathom the motives of a disgruntled employee are no longer able to protect their companies from what could be serious financial losses, extended network downtime and badly damaged relationships with customers.

So struggle over who gets information security is growing: IT, the traditional security group or a new function that is distinct from both groups. There is already clear evidence that IT is going to lose the fight-and more important, that it should. In an October 2003 CIO magazine survey, respondents who described themselves as "very confident" in their companies’ security were nearly twice as likely to have information security reporting outside of IT than those who described themselves as "not at all confident" in their security. The reasons for the confidence are clear: Confident companies suffered nearly six times fewer security events, had less downtime and fewer financial losses than the less confident companies. And they allotted more money toward security: The percentage of the IT budget that confident companies spent on security was double that of the not confident group (14 percent versus 7 percent), and they paid more attention to organizational reporting and security policy issues.

There are other reasons to move security. Some argue that keeping responsibility for policing security within IT can pose a potential conflict of interest for the CIO, who may be tempted to give short shrift to security concerns in favor of getting IT projects in on time and under budget. And catching hackers requires the ability to think like a criminal, something IT employees are not trained to do. Then there’s the workload issue: Don’t CIOs have enough on their plates these days without having to deal with the burgeoning and evolving challenge of worrying about all aspects of a company’s security? Having security responsibilities reside in the hands of a CSO or equivalent-and in particular someone who reports outside of IT-could be better for the CIO’s career and the health of the IT group as well as the overall organization. A CSO can focus full-time on security, unlike a CIO who is often pulled in several different directions.