How important is IT security to an organization?
These days, with a data breach seemingly reported every day, the answer is obvious. Yet the reporting chain can get muddled – which also muddles the message to the rest of the staff as well as the public.
The issue is raised because of the appointment of a new chief information and security officer at discount retailer Target, who will report to the chief information officer and not the CEO.
The chain of command is a sticky business in organizations, particularly with IT. For years there have been complaints that the top IT person doesn’t have a seat with other C-level executives. Instead many IT managers report to the chief financial officer if a CIO position isn’t set.
The CSO spot adds another difficult dimention – does this person compliment or battle with the CIO?
As outlined in Computerworld U.S., a number of experts think IT security doesn’t get enough of a profile if the CSO isn’t equal to the CIO – especially in today’s threat environment.
There’s no easy answer to this: On the one hand, senior management should be acutely concerned about IT security these days. On the other, as one expert quoted in the article says, if the CIO is sensitive about security issues then it shouldn’t matter if the CSO reports to that office.
It isn’t easy for a response to be “each case is different.” However, organizations shouldn’t have to learn the hard way if the chain of command isn’t strong enough.