Who Manages Information Security?


Does it matter who manages the information security function in your organization?

Apparently it does!

Benchmark results  from 2008 through 2009 show the following:

Organizations experiencing the worst outcomes
Impacting 2 out of every 10 organizations, the dominant profile of organizations experiencing the worst outcomes (most loss or theft of customer data, most downtime from IT failures, largest problems with IT audit findings) has either a systems or network administrator or a manager or director in IT operations in charge of information security.

Those experiencing normal industry outcomes
Affecting 7 out of every 10 organizations, those with  normal industry profiles (for data loss or theft, business downtime from IT failures and regulatory audit snafus in IT) manage the information security function through the senior leader of IT operations or a chief security officer (CSO).

Organizations with the best outcomes
Those with the least loss or theft of customer data, the lowest rates of business downtime from IT failures and the fewest problems with IT audit are managing information security through  a senior manager of IT assurance or a chief information security officer (CISO).

While there are always exceptions, the findings so evidently link outcomes with organizational structure that it may pay to look at the impact management structure is having on how well you are able to protect customer data, how productively IT assets are being managed and how costly it is to demonstrate audit with few problems to fix. 

FInd out more in the latest research report, Best Practices for Managing Information Security at: www.itpolicycompliance.com.

We’re interested in hearing from you: do you have a unique management structure that is working, or not working?


As always, you can find out more from one of our charter members:   www.itgi.org, www.isaca.org, www.theiia.org,  www.gocsi.com; www.protiviti.com, www.symantec.com


3 Responses to “Who Manages Information Security?”

  1. Teshome Beyene Says:

    I just want to know what elements there are to consider in IT security. What are the principles and what are the areas to watch for.

    Teshome Beyene
    Secretary General
    Addis Ababa Chamber of Commerce

  2. Teshome Beyene Says:

    I just want to know some more about IT security. Please help. What are the principles and what are the alerts.

  3. Ross Richards Says:

    I found your survey extremely interesting. However, there is one further piece of information I would find very valuable. When asking whether organisations had a CISO, did you give define your understanding of the role and madate of a CISO? The reason I ask is that the CISOs in different organisations have hugely different roles. (Ranging from what I would describe as “head of IT Operational Security” to something like “head of management of all risks related to information”).


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: