In conversations with industry contacts this past week, I heard the same thing: in many companies, information security is being absorbed into various business units.
That is to say, there is a trend afoot where company leaders are looking to meld IT security objectives with business ones. This isn’t a new concept, the idea that security must be a business enabler, but the thought that information security and its associated operation should be made integral parts of more traditional business divisions is.
Taking it a step further, such transformations are prompting some of these same companies to make CSOs or CISOs and their teams not part of the IT department any longer, but part of a risk management branch. And the CISO or CSO, currently a manager-type in most large enterprises, will evolve into an overall corporate guide of sorts, helping business departments build information security into corporate initiatives. Why this is happening is interesting.
One of my contacts notes that this shift may be driven by constraining budgets and resources as recession looms a bit closer. Decreases in funding for needed information security initiatives are requiring corporate CSOs to get a bit creative to see where streamlining information assurance practices can occur. But that doesn’t mean that there’s any less of an expectation from the board or lead execs for strong security — it just means security practitioners are tasked with saving money while making sure all regulatory mandates, customer demands and board expectations are met.
Some other of my contacts say it’s the natural evolution of information security — because there is so much concern by stakeholders and customers about companies being trusted partners in safeguarding private details, companies have no choice but to better integrate into the entire business information security best practice, as well as continually educate staff and corporate leaders about how this is done effectively.
Whatever the reasons, with operations of security getting integrated further into the differing business units of an organization, safeguarding critical data will become even more of a corporate-wide responsibility than it ever has been. As opposed to being relegated as the main duty of just one department under IT, such transitions will bring the onus of protecting customer and other crucial information to the company as a whole. And though this swing in thinking is coming slowly for only some businesses right now, it certainly is a welcome one.
Illena Armstrong is U.S. editor-in-chief, SC Magazine.