by Thomas Wailgum

CIOs Need Business Partners To Achieve Security Controls

Apr 17, 20072 mins

Effective security requires management teamwork.

As CIOs establish IT security controls in their own departments, they need to solidify their relationships with other parts of the business. Because of IT’s increasing involvement in what were formerly HR and legal department matters, “the CIO has a lot to contribute,” says Richard Hunter, a vice president and expert on security and privacy with Gartner.

For example, although the CIO will decide which monitoring and filtering technologies to buy, what those technologies will block and search for and what the impact on employees and processes will be are business decisions that should be made collaboratively. “It’s no different than a travel or hiring policy,” Hunter says.

To ensure that he’s able to manage Credit Suisse’s IT-centric risks, CIO Tom Sanzone created an IT risk department that has forged ties with HR, legal, compliance and internal audit. The head of this department, who reports directly to Sanzone, helps determine compliance policies with the other groups and ensures that Credit Suisse is complying with governmental and financial regulations. In addition, HR is responsible for duties such as shutting down system access and retrieving PCs and BlackBerrys when an employee leaves the company. Sanzone says that by having risk report directly to him, it elevates the department’s status within the company as well as emphasizes to his peers the importance of its mission.