Security Is Converging

There is a small though growing trend of IT security moving under the corporate security umbrella so that security decisions all come out of one place. But experts we spoke to said there is no formula for making the decision. It depends on factors like culture, governance structure, size (and size of customer base), sensitivity of corporate data and demands of customers. Companies that are feeling increasing pressure in any of these areas should at least consider whether information security and corporate security should be consolidated into a single group.

The strongest argument for keeping information security within IT is purely pragmatic. Much of information security has to do with hard-core IT issues, and non-IT people don’t understand how complex it can be. People from a pure security background can become so fixated on security that they ignore the need to make systems flexible and usable, says Finlay. "There are times when I’ve seen security people advocating something that makes the system so hard to use that people wouldn’t use it. The job of CIO is to find the right balance." To which CalSTRS’s Thomas responds, "That’s why it’s important for us to have a close working relationship with IT and work together as a team."

But regardless of where the CSO reports, he cannot be a shrinking violet. CSOs need an independent voice and the ability to promote the position and the need for security inside the company (see "Who Is the CSO?" this page). "If CSOs can clearly communicate their role and the role of security in the organization, it doesn’t matter where they report to," says J. R. Biggs, managing director at Network Security Consulting and a former CSO for a financial services company. "You have to be able to communicate and justify your role and responsibilities and make sure everyone understands that security is the responsibility of everyone in the organization."

That sure sounds like independence to us.