Where Should Information Security Report to?
Information security governance ensures that all the structures, processes, roles and responsibilities related to information security are defined and aligned with enterprise objectives. This would require the role of information security to be properly defined and allocated in the enterprise organization structure. Governance is becoming more important than ever supported by the increasing compliance requirements and continuous challenges from advanced threats and attacks. It plays a vital role in meeting stakeholders’ needs and enterprise objectives. A key enabler for enterprises’ success is the consideration of information security as a partner which will give it the needed empowerment and support to fulfill its mandates. This will also assist in protecting the enterprise assets and ensure technology risks are managed.
In the changing landscape of technology the role of information security has been revamped and new business models for information security were created. These models propose different roles for the security function and accordingly allocate it in different locations with specific focus areas in the enterprise. The main mandate will always be to protect an enterprise assets’ while maintaining the risks at acceptable levels. This is applicable to all industries and exists across the various focus areas of Security, namely: Operations, Risk, and Governance. Allocating information security in a position that is not aligned with the desired focus area would result into failing to achieve its objectives and eventually leads to complete divergence from overall enterprise objectives and stakeholder needs.
In a research paper published by Forrester on security organization maturity, three focus areas for information security were identified. The proposed focus areas were: 1) Operations, 2) Risk management, and 3) Information Governance.
Whether the focus area of the enterprise is operations, risk or governance the entity will have a leadership position defined to manage this entity. Ensuring the position exists, coupled with the responsibility, authority and required resources, demonstrates management and board of director awareness and commitment to sound information security governance.
Reporting structures for information security managers vary widely. In the 2011 Global State of Information Security survey conducted by CSO Magazine and PricewaterhouseCoopers, the percentage of CISOs reporting to the CIO has decreased from 38% in 2007 to 23% in 2010. During the same period, the percentage reporting directly to the board of directors has increased from 21% to 32% and 36% now report to the CEO.
Reporting to the CIO has several issues:
- Information Security scope is becoming wider than CIO IT scope.
- Conflict of interest
- Information security must be more aligned with the business than with technology.
Detailed below some considerations for the security allocation based on COBIT 5.0 for Information Security:
Chief executive officer (CEO)
[Pros]
(1) Information risk is elevated to the highest level in the enterprise.
(2) Information security is given the most power and support.
(3) Information Security gets highest priority and attention.
[Cons]
(1) Information risk needs to be presented in a format that is understandable to the CEO.
(2) Given the multitude of responsibilities of the CEO, information risk might be monitored and managed at too high a level of abstraction or might not be fully understood in its relevant details.
Chief financial officer (CFO)
[Pros]
(1) Information security issues can be addressed from a financial business impact point of view.
(2) Lower level of conflict of interest resulting from budgets allocation and initiatives funding
[Cons]
(1) Information risk may not be addressed due to financial initiatives and deadlines taking precedence over information security.
(2) There is a potential conflict of interest.
ERM
[Pros]
(*) Information risk is elevated to a position that can also look at risk from strategic, financial, operational, and reputational and compliance perspectives.
[Cons]
(*) This role does not exist in most enterprises.
Chief Operations Officer (COO)
[Pros]
(1) Better alignment with business objectives
(2) More realization for information security at senior management level
[Cons]
(*) Possible conflict of interest - information security and IT reporting to same manager
* Options above are reproduced based on original content from COBIT 5 for Information Security.** Some content above is quoted from ISACA CISM Manual - 2012.