But the issue is still up for debate. Some CIOs are concerned that if security policy is moved out of the IT department, they would lose influence but still be held accountable if something goes wrong. CIOs for small and midsize companies argue that it’s not practical to create a separate role that is responsible for security. And CIOs in industries heavily regulated by the federal government also worry that letting go of security could mean falling out of compliance.

With the debate raging, if you’re not seriously examining where information security falls on your org chart, it’s time to do so. And there is mounting evidence that owing to its growing complexity and importance to besieged organizations, security probably should be separate from IT. The dialogue about the future of IT security is just beginning. Chances are, the discussions should be going on inside your company too. In this story, we’ll outline the main issues to debate.

Cut Security Loose

Security experts say that most IT security threats are from within the company. If that’s the case, then keeping IT security within IT is a simmering conflict of interest. "If you think of information security as a policing function, then having [security staff] report to the CIO has the IT infrastructure policing itself," says Bill Spernow, a security consultant and former chief information security officer of the Georgia Student Finance Commission. Samantha Thomas, director of the information security office for the California State Teachers’ Retirement System (CalSTRS) puts it more starkly: "If you’re in IT and they’ve given you security, how can you conduct an unbiased investigation of the friend you’ve sat next to for years?" Thomas and her fellow CISOs in all California state departments now report to their department chiefs because of an executive order from then-Gov. Gray Davis in 2002.

Those who advocate moving security out of IT say that new, complicated challenges require someone who can look at the bigger strategic picture of security across the company, advocate for tougher security measures in all functions of the company and report security issues to a higher authority than the CIO.

These are the issues that made William Murphy, CTO of financial data and analytical software provider Capital IQ, ask his company to hire a CSO in 2002. "I had handled security adequately since the company began in 1998, but I wanted security to be more than adequate; I wanted it to eventually become a competitive advantage for us," says Murphy. The growth of the company (from five people when Murphy started to 900 today) combined with a growing customer base, a much broader product line of security-sensitive products and customers that had increasing security expectations sparked the switch.