TAC The Advisory Council Expertise-as-a-Service Has Arrived
Home Services & Products Events & Workshops Results Our Experts About Us FAQ Contact TAC News

Question:What organizational structure would be most effective for information-security governance?

Our advice: Information-security experts are a long way from establishing best practices in organizing security: Chief security officers variously advocate security reporting to facilities, operations, legal, IT, and even human resources.

Ultimately (and legally) the board of directors is responsible for protecting the company's assets, but someone has to keep the board informed about the risks the company is facing from security threats. This should be the job of a chief security officer. Unfortunately, they are rare and almost always too low on the organizational chart to effectively interact with the board, and reporting structures often blunt and filter (even suppress) those messages before they reach the board.

So right away the organizational-structure issue comes down to which C-level executive your top security person reports to. There seems to be no dominant rule for companies placing the head of security (physical and/or information) above the chief information officer, reporting to the CIO, or several levels below the CIO. Corporate culture appears to be the biggest factor, but also industry type. Consider the following structures and their consequences:

Information security reports to the CIO. CIOs want to be seen as value-adders, focused on productivity and profits, and cannot afford to be branded as "inhibitors." This mind-set can cause CIOs to delay reporting potential security problems upward.

Information security reports to the chief operating officer. Chief operating officers are concerned about delivering products and services, resolving customer issues, and increasing sales. Instead of protecting the company's larger goals, the focus is too often on finding solutions for customer complaints, continuously monitoring satisfaction, and fighting for market share.

Information security reports to the CFO. CFOs all too frequently act as if the best way to grow profits is to cut costs. When they oversee a security organization, they evaluate security budgetary issues by scrutinizing every capital expenditure or head-count increase.

Industry and organizational size have an influence. Retail and pharmaceutical industries are most content with security chiefs under the direction of the CIO, while some other industries are migrating to a corporate (i.e., outside of IT) security-management structure. In midsize to large organizations where the emphasis is on technical measures mitigating technical threats, the CIO is usually the security boss.

An effective security organization hinges on collaboration among the CFO, auditors, legal staff, business-unit managers, corporate and physical security teams, IT senior managers, midlevel administrators, and the entire range of corporate stakeholders, whose awareness of and participation in a security program is essential. For information security, this means a structure where the security head's reporting relationship is an enabler, not a deterrent, to integrating the activities of primarily the IT, operations, and corporate auditing groups. It's the opposite of the fragmented security management norm at many companies today. Until top management recognizes security as a critical function with strategic impact, security of all sorts will continue to get shuffled around and fail to obtain adequate resources.

Security is rapidly evolving into a critical shared service within many organizations, with the head of corporate security increasingly taking on responsibilities for information security. Within five years most organizations will have a risk-management function that (1) is not within IT and (2) will include a number of things currently on CIOs' plates, such as business continuity, and a security program-management office, as well as non-IT risk functions such as fraud and physical security. The path to this governance structure is being blazed by companies that are taking a coordinated approach to physical security, information security, and risk management because they believe bottom-line improvements come most easily when security is treated as a business process.

-- David Foote


  • What does a CIO have to do to establish a leadership-development program for the IT organization?


  • How do I develop a information-technology plan when the company itself doesn't have a strategic plan?


  • What are the most productive tasks an IT leader can focus on?


  • After three years of downsizing and cost cutting, how do I motivate my management team and build a high-performance organization?


  • As the economy turns around, what IT skills will be most in demand this year?


  • How should we manage change in our IT infrastructure to minimize risk?


  • Several weeks ago, you wrote about when a project-management office makes business sense. What is the appropriate design for a PMO?


  • The economy seems to be picking up. Looking ahead, how do I retain good IT people in the face of an improving IT market while my budget remains under pressure?


  • What IT skills will be most in demand this year?


  • How do I objectively evaluate the readiness of my organization to support emerging business requirements?


  • What cultural and people factors are important to consider when building IT capabilities to support manufacturing factory and retail operations in China?


  • How could the Project Management Institute help us effectively manage real-life IT projects to ensure success?


  • How do we make our communications proactive, rather than only getting to them when there's a crisis?


  • What are the critical success factors to achieve and maintain strategic alignment?


  • How can we develop an enterprise architecture across disparate business units?


  • How can I develop a long-term information-technology plan when my company doesn't have a strategic plan?


  • What attributes and features should we consider when selecting IT asset-management software?


  • As an overworked IT manager, what can I do to reduce my workload while maintaining high availability and good security?


  • We're under management pressure to outsource application development and to cut staff, but I'd rather get more value from our existing staff, who know our business. How can I broaden their skills?


  • As business picks up, what should I do to rebuild my organization, tactical plan, and internal-management processes?


  • We have a strong team that I'd like to make stronger. How do I instill more leadership qualities and skills into my team?


  • What organizational structure would be most effective for information-security governance?


  • How can we achieve effective process ownership within our IT organization?


  • What organizational, people, and process issues should we consider when setting up a telecommuting program?


  • We've cut staff so much in the last four years that I'm wondering if I can afford (from a work perspective) to take vacation this summer. What can I do to reduce the chance of something unraveling catastrophically while I'm away?


  • A few weeks ago, writing about creating a vision statement, you said "seek expert facilitation to reach a vision supported by all." Where can we get this expertise?


  • We know that we could save money by consolidating servers currently scattered across business units. How should we address the political issues around getting the business units to give up their servers?


  • What level of IT spending is appropriate for a midsize to large financial organization?


  • How should we assess our IT organizational structure and processes?


  • How can we retain good IT people in the face of an improving IT job market?


  • How should we determine the appropriate network-support staffing level for a 10,000-node network?


  • What strategies are most successful in a "political" organization?


  • How can one reduce behaviors that are wasteful of IT resources?


  • How can we raise the IT knowledge of non-IT employees?


  • I'd like to establish a management mentoring program within my organization. How should I start?


  • How should we deal with the cultural and skill-set changes needed when moving from mainframe-based applications to client/server and Web-based applications?


  • We're considering setting up our own IT-abuse investigations group. What issues should we consider in making this decision?


  • How should we assess and set priorities for our IT project portfolio?


  • What features should we consider when selecting portfolio-management dashboard software?


  • How do we minimize the negative impact of project cancellations on IT staff morale?


  • After three years in my current CIO position, I still find myself out of the loop when it comes to strategic business decisions. What can I do about this?


  • Many large companies have a project management office responsible for portfolio and program management. When does a PMO make business sense?


  • After the extended economic downturn, we need to create a new vision for the organization. How do we do that?


  • What technical and security issues should we consider when setting up a telecommuting program?


  • How do we change IT from reactive to proactive in a change-resistant corporate culture?


  • How can the CIO shift the IT organization's mindset from service delivery to value creation?


  • What criteria should be included in the due-diligence assessment of IT at an acquisition candidate?


  • How do I establish my credibility with the CEO, chief operating officer, and CFO?


  • How do I motivate my technical staff to cooperate with staff from our offshore outsourcing vendor?




    • ©2002-2010 The Advisory Council Inc. All rights reserved. Privacy Policy & Guidelines | Terms & Conditions