Who’s really in charge when it comes to security?

Last updated: 23 December 2015

In the latest of our series of blog posts looking at the results of our recent CIO research, we take a look at the thorny subject of who is ultimately responsible for information security within an organization.

Prevailing trends in technology would suggest that maintaining control of IT security is becoming an ever more difficult task for CIOs. With the vast majority of the workforce now likely to be IT literate (or at least think they are), everyone from junior executives to Chief Execs will have their own views on what activities are and are not secure. Faced with this, are CIOs being forced to cede some responsibility for security to other individuals within the organization?

Our research found the CIO remains more likely to oversee security than any other person within the business. 48 percent said they were principally responsible for IT security in their company, with the CEO being the next most influential, overseeing security in 20 percent of cases. It will come as little surprise to learn large companies are most likely to have security controlled by the CIO, whereas in smaller enterprises the CEO is more likely to take a hands-on role.

More startling was the differing attitudes between the nations polled. In France, for example, the CIO was in almost complete control, taking responsibility for security in 70 percent of companies. By contrast, in the Nordics just 24 percent of those surveyed said the CIO took responsibility within their organization and, perhaps more tellingly, more than one in five (22 percent) said they believed end users should be left in charge of their own security.

The Nordic nations are famously progressive in their thinking, and have also played a successful role in the tech boom of the last 20 years. Could their attitude towards controlling security therefore be a sign of things to come?

While there is little in the findings to suggest CIOs will lose their grip on the security function any time soon, results such as those from the Nordics do show attitudes may be changing. CIOs no doubt want to encourage their end users to experiment and engage with technology, but they must also be aware that relinquishing control could bring serious consequences.

In my view, without a top-level view of the entire IT portfolio, end users lack the perspective to make decisions on what is and isn’t safe, not only for themselves but for the entire organization. If you’re a CIO dealing with this very same quandary then do let us know your thoughts below.

2 thoughts on “Who’s really in charge when it comes to security?

  1. Ray,

    As always, I enjoy your blog posts very much. and I fully agree with you on this statement.
    “In my view, without a top-level view of the entire IT portfolio, end users lack the perspective to make decisions on what is and isn’t safe, not only for themselves but for the entire organization.”

    I am curious, however, how you are defining “users”. As you know there are many levels of “users” in the enterprise (S, M, or L) from an OEM/OSM perspective and I get the feeling that you may be referring to the general “users” outside of IT. That is since most companies have a Labs, Test Environments for development projects as well as migration and upgrade efforts, and then finally Production environments.

    The CEOs, CIOs, CTOs, CISOs may collaboratively be ultimately be accountable for maintaining their IT and IS secure but… who really hold the keys to the castles are the application developers (the programmers) and the hardware engineers/designers and of course the telecom providers.

    Without an engineering background in both hardware and software, CEOs lack the low level granular “technical know-how” required to understand where the attack surfaces could reside whether natively or introduced.

    Virginia Benedict
    Professional Social Media Community Manager (since 1992)
    Market Engineering Strategist (circa 1984)
    Systems & Network Security/Computer Forensics (circa 2000)
    Technologies Analyst (since 1989)

    914-923-2103 (by appt.)

    Member of Microsoft’s Technical Communities
    Powered by Office 365/SharePoint

    “Encouraging Innovation Through Though Process” © All WWRR

    1. Thanks for your comment, Virginia. That’s an important point you raise, and one that differs quite widely depending on the size of the company – e.g. a CIO in an SMB might be more technically-minded than one in a large enterprise – and our research surveyed a range of businesses.

      Ultimately, however, whether the end user has the technical, engineering and security knowledge or not, the more BYOD trends come into effect, the more they have to shoulder the responsibility for their own security. This doesn’t mean having to complete an engineering degree, but does mean ensuring they are compliant with appropriate security measures which they can find out about from their IT or security department. The CIO (and other C-level executives) are responsible for making sure this responsibility is effectively communicated, otherwise the overall responsibility for security will come back to the Board regardless.

Leave a Reply

Your email address will not be published. Required fields are marked *