Information Security – Whose Job is IT?
As the owner of an information security firm, I am frequently faced with the challenge of figuring out who to deliver our message to. Most security practitioners would respond that security is everyone’s responsibility, and I don’t disagree. However when you’re in the business of marketing security services, and not just implementing, that shotgun mentality will just make a big, messy hole.
Yesterday I overheard my business partner on the phone with a prospect, a Compliance Officer for a large credit union. As my partner’s pitch raised to a crescendo, he was suddenly interrupted, replying “so that’s not your responsibility? So… I should talk to IT?” No matter how successful you are, you’re going to get your share of objections, rejections and denials. But deflections are different, particularly in security. Let me explain.
For a long time, information security was considered an IT problem. Why? Because the solutions – things like firewalls, antivirus software and access control lists – were only available from IT. This system worked for a while because the controls were well matched for the threats. But it created an unfortunate precedent, one that would eventually disarm businesses everywhere.
Fast forward to 2011. Today’s threats don’t look or act the way they did ten, five or even two years ago. And even though today’s threats are still rudimentary in nature, they cleverly outwit traditional security controls by avoiding them altogether. The firewalls and antivirus software that made IT synonymous with security are failing, and it’s causing a new problem – an identity problem. IT is not your security team. But if IT doesn’t do security, who does?
It’s not an easy answer, but if you can find the risk owners, you’re on the right track. Here are some suggestions, in order of greatest liability:
- At the highest level, business owners are responsible for the health and welfare of their employees, clients and businesses, and as such are implicitly accountable for ensuring the security of business assets. Whether it’s awareness training or data protection, the buck stops here. Of course, each business has unique risks, and every security program will, and should look different. Business owners are the primary risk owners.
- Next come asset owners. This is a term borrowed from ITIL and other organizational frameworks that seek to identify the chief decision makers for information and other systems. Asset owners, after business owners, are next in line for risk accountability, because they make decisions about business assets. The Human Resources Manager, the Comptroller, the Director of Development – these are all good examples of asset owners. This could be a large group of individuals, depending on the size of the organization.
- The next in line would come those involved with compliance or audit. After all, it is these individuals that are measuring how well regulatory, statutory, commercial and other legal requirements are being met.
- Last are the employees of the business. Each and every member of the organization has a role on the security team and is a cog in the security machine. It is the responsibility of each individual to understand their role and responsibilities and implement the required behaviors to the best of their ability. Employees are the organization’s biggest, brightest and most capable security control – when they fail, it becomes a major weakness.
So where does that leave IT? As a service provider, your Information Technology team is simply doing what they are asked to do. Whether your security program is strong and mature or non-existent, remember that it wasn’t (or shouldn’t be) IT that made it that way. IT’s job is to provide technology services that meet specific Service Levels to their clients – the departments, end users and asset owners in your business. They’ll be happy to secure your assets, but only after a business leader, asset owner or Compliance Officer has made the critical decision to do so.
So the next time someone calls you and asks if you’d like to talk about information security at your company, you know what to say.