Whose Job is It, Anyway?

What’s the winning strategy for securing the IT enterprise? A strong partnership between IT and security executives—and the right reporting structure.

istock 646457692

IBM and IDG Content

As digital transformation and high-profile data breaches elevate IT security to a C-suite priority, many organizations are rethinking who takes ownership of security, and how to best structure executive roles and responsibilities.

Despite its increased importance, executive ownership of security varies greatly across firms, depending on company size and specific industry. Exclusive IDG and IBM research revealed that nearly half (49%) of companies say security is the responsibility of the CIO, while 31% say it belongs to a dedicated Chief Information Security Officer (CISO). Another 12% put the responsibility on the plate of the Chief Security Officer (CSO).

There’s no doubt IT and security strategies must be closely intertwined. But industry best practices call for a clearly defined separation of power. Most agree CIOs should be responsible for IT infrastructure, and security oversight should be the job of a dedicated CISO or CSO.

In addition, many experts believe the CISO should not report directly to the CIO, but instead report into the highest levels of the C-suite.

“[Top] security executives have to have direct visibility to the C-suite and the board of directors,” explains Limor Kessem, IBM’s executive security advisor. “They need to have their own session at board meetings, give their own explanation of what’s going on, and educate the company about emerging risks without having to come through another executive.”

Without a fully independent CISO or CSO, companies run the risk of addressing security more narrowly and in silos of their own function, instead of taking a holistic enterprise approach that spans the organization as a whole. For example, it’s the CISO’s role to audit the IT department, make recommendations for security architecture, and press for required changes. “It’s a lot harder to do if you don’t have equal power to make changes,” Kessem says.

At the same time, however, it’s critical that all CISOs or CSOs work in close concert with IT leadership to advance both the organization’s security and technology-related goals.

The CIO, for example, can take the lead on mapping out the right security infrastructure and technology, devoting time to issues such as uptime goals, business continuity, and disaster recovery. At the same time, the CISO can focus on instituting the proper governance controls, overseeing compliance and regulatory requirements, developing the organization’s risk profile, and conducting continuous audits and testing. “These two need to work in tandem, almost like dancing a tango together,” Kessem says.

Research shows companies with more mature security practices are implementing this independent chain of command and in turn reducing their overall risk profiles. IBM cybersecurity research found that “cybersecured” companies are 2.5 times more likely to have established a separate office of information security and appointed a CISO. In addition, these cybersecured leaders are five times more likely to have incorporated cross-C-suite collaboration (typically with representation from CMOs, HR chiefs, and CFOs) into their cybersecurity plans compared to unprepared organizations.

With security and IT as separate, but equal functions, executives are free to pursue different professional agendas while benefitting from each other’s expertise. “Equal pairing allows them to stand on the strength of their own roles, which makes the company stronger and more secure,” Kessem says.

For more information on IBMs approach to security, click here

And for more on this topic, don’t miss our podcast, Whose job is it, anyway? with IBM’s Limor Kessem, or our blog, How to Avoid Gaps in Security Through IT Team Changes.