This entry was posted on Tuesday, September 11th, 2012 at 13:24 and is filed under Main. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.
Companies that start implementing an information security program, or specifically ISO 27001, very soon realize that they cannot do it without a person who would coordinate and manage such activities. But then they face the following dilemmas: Who should this person be responsible to? In which department should this person work? How to avoid conflict of interest?
Avoiding conflict of interest
One of the most important things in information security is to avoid conflict of interest, that is, to separate the operations from control and audit. Therefore, the same person cannot be both CISO and internal auditor. Similarly, the information security manager should not work in the IT department, although since this is very difficult to achieve in smaller organizations it is usually tolerated; however, for larger organizations such conflict of interest is not allowed, and some industries are heavily regulated in this respect.
Options for placing CISO in an organization
It doesn’t really matter if you call this person Chief Information Security Officer, information security manager, information security coordinator, or something similar – basically, there are three options for placing such person within an organization:
a) A separate function directly responsible to the CEO – this is the best option, but at the same time the most expensive. It means you have a person who is dedicated full-time to information security, a professional with lots of experience in this field. This is usually the case in larger companies.
b) A position within a department with no conflict of interest – this is the situation very often seen in companies like financial institutions, where the information security manager is placed within the Operational Risk department. This means you have a person that is dedicated full-time or part-time to information security, and is a part of a team dedicated to risk mitigation. Since this person doesn’t report directly to the CEO, you don’t need to have a top professional for such a position.
c) Information security as an additional role – this is a situation typical for smaller companies – for example, the IT manager is at the same time the information security coordinator. As mentioned before, it is very difficult to avoid conflict of interest in such organizations, but this is certainly the cheapest solution and often the only feasible one for smaller organizations which start ISO 27001 implementation.
As the company develops its information security management system, certainly the position and responsibilities of Chief Information Security Officer will have to change. But much more important than the formal position of this person, is to enable him or her to be in constant contact with both the business and IT sides of the organization, and to have enough authority to implement necessary changes.