Page 23 - CISSO_Prep_ Guide
P. 23
team and reporting directly to a senior manager. This reporting
structure is critical to ensure that security has an enterprise-wide
mandate and is not seen merely as a small, ineffective part of one
business unit.
There is no perfect answer to the "who security should report to"
dilemma. In many organizations, IT security reports to IT
(perhaps to a Chief Information Officer (CIO)). Reporting to IT
can seriously hinder the effectiveness and ability of the security
department to enable change or force IT systems to be compliant
with best security practices. This is because the IT department is
primarily mandated to providing IT services, and IT security is
seen as a hindrance to the business. If the organization has to
decide between capacity and safety in cases where there is not
enough time or budget for both, then security is frequently the
loser.
Other approaches to the reporting structure for security have been
to have a security report to Human Resources, Finance,
Operations, or the position of Chief Information Security Officer
(CISO).
Regardless of who or where the security department reports to,
the role of the security department manager must be to learn how
to be as effective as possible to build a security program and
establish a culture of security into the organization. Being in an
awkward position is not an excuse for not working hard to
develop a security program that gains the respect of the other parts
of the organization!
The security manager must build a team that has the skills,
enthusiasm, and commitment to the function and purpose of
security. Since security is a vast area, it is nearly impossible to
find one person with all the skills needed to support all the tasks
