So struggle over who gets information security is growing: IT, the traditional security group or a new function that is distinct from both groups. There is already clear evidence that IT is going to lose the fight-and more important, that it should. In an October 2003 CIO magazine survey, respondents who described themselves as "very confident" in their companies’ security were nearly twice as likely to have information security reporting outside of IT than those who described themselves as "not at all confident" in their security. The reasons for the confidence are clear: Confident companies suffered nearly six times fewer security events, had less downtime and fewer financial losses than the less confident companies. And they allotted more money toward security: The percentage of the IT budget that confident companies spent on security was double that of the not confident group (14 percent versus 7 percent), and they paid more attention to organizational reporting and security policy issues.

There are other reasons to move security. Some argue that keeping responsibility for policing security within IT can pose a potential conflict of interest for the CIO, who may be tempted to give short shrift to security concerns in favor of getting IT projects in on time and under budget. And catching hackers requires the ability to think like a criminal, something IT employees are not trained to do. Then there’s the workload issue: Don’t CIOs have enough on their plates these days without having to deal with the burgeoning and evolving challenge of worrying about all aspects of a company’s security? Having security responsibilities reside in the hands of a CSO or equivalent-and in particular someone who reports outside of IT-could be better for the CIO’s career and the health of the IT group as well as the overall organization. A CSO can focus full-time on security, unlike a CIO who is often pulled in several different directions.