Communiquez avec les autres et partagez vos connaissances professionnelles

Inscrivez-vous ou connectez-vous pour rejoindre votre communauté professionnelle.

Suivre

Why Information Security is not reporting to Head of IT?

user-image
Question ajoutée par Syed Muhammad Azhar , Head of IT Security Risk Management , Faysal Bank Ltd
Date de publication: 2013/06/12
Hussein Bahgat
par Hussein Bahgat , Information Security manager , Standard Chartered Bank –

IT focus on the performance and excellence of operations (also COO levels) in esense Information security handles the risk resulting from this performance (and security) accordingly the pressure of performance and delivery in IT operations will create a tidal wave against security concerns and who manages it (ISO or CISO) , and this exactly what is meant by segregation of duties in information security, The horse runs but needs a good knight to keep it from hitting the wall ! my regards and respect still for all CIOs & COOs whom can handle this stressful conflict of interest !

Mughis Tahir
par Mughis Tahir , ISP Business Systems – SAP , City of Bradford Metropolitan District Council

Simple - Conflict of Interest, you cannot judge your own performance.

Utilisateur supprimé
par Utilisateur supprimé

IT Security is about securing the technology. Information Security is about securing all information that is important for the business/organisation. 

Different companies or organisations have different perspectives and importance for security (be it Info Sec or IT Security) and the team alignment is set accordingly. The reporting of the security team has its influence on the security focus/posture itself most of the time.

The best practice is always to have an independent function (may not be as independent as an Audit team) and the team be empowered to have its own directives from risk management.

The CEO most of the time is the owner of the risk management in a company - (first delegation of financial risk management goes to the CFO)

Pradipna Gautam
par Pradipna Gautam , Security and Compliance Manager , Verisk Information Technologies

There would be lots of answers for that but the bottom line is that Information Security has to audit lots of IT work and it does not make sense reporting to the department you have to audit.

Saud Al-Malki
par Saud Al-Malki , Senior Officer , Bank Al-Bilad

We are audit of IT and we are who the writing the policy for IT

Nader Hasawi
par Nader Hasawi , CIO Chief Information Officer , Siemens

InfoSec is not an auditing function.
It reports to CFO, in many organizations, in order to give it its required priority and attention.
If it reports to the IT head then it's in the same pool as other vertical IT topics.
InfoSec is a horizontal IT function.
It's not more important than any other function in IT but it has higher priority.
However, the InfoSec officer is always someone in the IT organization so his/her disciplinary manager is the IT head, but they report functionally to the CFO in InfoSec topics.

Utilisateur supprimé
par Utilisateur supprimé

The answer to it is there would be a conflict of interest and violates segregation of duties.As an IT personnel you will be discharging the duties of custodion of an IT assest on behalf of the the IT/Information owner.Information security personnel will be acting on behalf of owner to provide assurance that the assest or information is rightly used and protected as accpected by owner .As IT is the custodion and information security will act an independent assurance function to the owner.Hence Info sec will not report to an IT head as it would need to provide independent assurance to the owner that IT is functioning as accpected by the owner of IT/information

Muraleedharan Karumathil
par Muraleedharan Karumathil , Operation Manager , SBM NAUVATA SBM Nauvata Indi

As rightly pointed out by Hussein Bhagat, information security is not restricted to IT security.
It spans across various domains like physical, IT, people, media, information exchange etc..
Scope of information security is much larger than IT security..

Syed Muhammad Azhar
par Syed Muhammad Azhar , Head of IT Security Risk Management , Faysal Bank Ltd

IT security plays role of Implementation of security whereas IS audit is a different domain.

Hesham Youssef
par Hesham Youssef , Information Security Governance Unit Head , Confidential

I see good points related to conflict of interest and segregation of duties, but also I see that most of comments speaks about information security as IT security, information security has much more into it than just IT, information security is a horizontal function that integrate with IT, HR, facilities, legal and all business functions with an aim on protecting confidentiality, integrity and availability of information assets

Sameer Paradia
par Sameer Paradia , Associate Partner , IBM

Because maker and checker they are two different distinct roles. IT head is maker of information and Information security is checker of information generated. Hence it is not advisable to have Information security role to report into It head. 

More Questions Like This