Where does the leader of your information security function fit into the corporate structure? Whether you have a Chief Information Security Officer, the function is handled by your Chief Information Officer (CIO), or this function falls to a Director in the IT organization, does the function have the proper authority to carry out its assigned duties?
If you your security leader falls somewhere in the middle of your IT organization you are probably dealing issue revolving around competing with other IT teams for resources, such as funding, personnel, and equipment. Also, sometimes you might suffer from an identity crisis, where business people think you are just like every other IT support team and don’t associate you with doing security functions. However, you do have some advantages; it is easier to get a seat at the table on important IT initiatives and to become involved in application implementation earlier in the process.
If your Information Security Leader is the CIO, he or she probably has many other responsibilities and you are competing for attention and resources. Additionally, if this falls on the outskirts of the IT organization, you will be seen as the “red-headed, step-child” and won’t be involved in the initial, important discussions.
The CISO scenario has several variables. If your CISO is completely outside the IT organization you will also experience the outsider treatment for the IT organization. However, this can be somewhat reduced if the CISO is moved inside the IT group and having the CISO report to the CIO with a “dotted line” to a senior executive outside of IT. Additionally, the CISO should be on the same level as any senior IT executives (i.e. Vice President). This will help ensure an equal voice when it comes to budget, personnel, and input on IT issues that involve security.
Where ever the Senior Security Leader is placed in the organization, the security team must build a relationship of trust with all levels, from VP to system administrator for the Information Security program to be successful. Once this relationship is developed, and information security isn’t seen as the “No” team, then they will be invited to the table and everyone will win.