Information security is both a management issue and a technology issue.
The management of an institution could be the owner or custodian of the data that their information security program is trying to protect. They need to ensure that the systems they employ execute all the functions on the data as they are supposed to while ensuring the data is not leaked to unauthorized personnel. “Primary mission of an information security program is to ensure information assets-information and the systems that house them-remain safe and useful” (Whitman & Mattord, 2014)
Management is responsible for the reputation of the business, it’s proper functioning, the data it holds, and safeguarding the technology it uses. However, all these could be impacted if the technology that they deploy do not meet the requirements – functional as well as non-functional. Technology is only a tool that facilitates proper function of the business providing value to its customer and keeping track of all its transaction. Technology must be configured in such a way that the data that the business holds is protected while in transit, at rest and in process.
So, should the Chief Information Security Officer (CISO) report to Chief Information Officer (CIO) or the Chief Executive Officer (CEO)? “Once an organization’s infrastructure is in place, management must continue to oversee it and not relegate its management to the IT department” (Whitman & Mattord, 2014), the management of information security should not be under IT (CIO). If left under IT, the programs and processes that the CISO comes up with would be limited within the constraints of the IT department. The CISO may not be able to comprehensively bring people, process and technology.
The Information Security Management Program, when moved out of IT umbrella and put under CEO, would have direct oversight of the board and would not be limited in performing audits and independent review of IT and its processes. If needed, the CISO could bring non-IT departments such as intellectual property, legal, vendor management and asset management into their processes without impacting IT.
- Whitman, H. J., & Mattord, M. J. (2014). Principles of Information Security 5th edition. Boston: Cengage Learning.