Slicing up the IT security pie

Much of the discourse around enterprise IT security has centered on tools and best practices. But the vital question of who ultimately has ownership of what aspect of security is often left unanswered.

In many enterprises, says one expert, there’s a confusion and misunderstanding about the “security” responsibilities of two key stakeholders: the CIO and the CSO (Chief Security Officer). Perceptions and approaches to security often vary significantly between these two executives and their teams, according to Syd Hancock, who coordinates the IS security program at Algonquin College in Ottawa.

According to Hancock, the conflict between the two sides has been growing steadily over time as the two positions have matured. It arose because in the past the CSO has never been comfortable with technical security issues and tended to leave them with the CIO. Now the trend is to ensure the CSO is well trained in technical security issues. CIOs, he said, see security as one of many things they need to take care of, and it makes CSOs a little nervous.

According to Hancock, while both the executives want a piece in the security pie, it is the CEO who is the final arbiter. It is the CEO’s responsibility, he said, to set rules for IT security such as compliance with legislation, improving client and public confidence, and demonstrating due diligence in managing resources. The CEO should get the CIO and CSO to sit together and divvy up that pie based on those rules. Failure to do so, he said, could have unfortunate consequences.

He suggests the CIO should be responsible for such things as technical security standards and procedures as well as security software and hardware. CSO responsibilities, he said, should be in areas of physical and personnel security; information security; security threat assessments and security investigations. Responsibility for grey areas like security policy, security audit and certification of systems can be re-delegated any time if certain functions are not working for either the CIO or the CSO.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now