Who is principally responsible for managing IT security in companies? – Question from Martin McKeay at Network Security Blog

Last updated: 21 March 2014

Those with long memories may recall our call-out a few months ago asking for readers’ questions on global CIO’s attitudes towards security. We wanted to find out the burning security issues which are affecting CIOs today and we received a lot of interesting responses from readers and influencers who had their own questions that they wanted to put to the world’s IT leaders.

I’m pleased to say that we’ve now completed our research, and will be sharing the results with you through the blog over the coming weeks. There’s an awful lot of interesting findings to get through, and we’ll soon be publishing a downloadable whitepaper summarizing what we’ve discovered.

Until then, however, we thought we should answer a couple of the questions posed to us before we began the fieldwork. The first of these comes from influencer Martin McKeay from Network Security Blog. In this post we are focusing on the issue of responsibility when it comes to IT security in companies.

All CEOs, financial directors and leading figures out there can breathe a sigh of relief. Our research with Vanson Bourne across 500 CIOs in the following regions – UK, US, France, Germany and the Scandinavian regions – showed that almost half (48%) considered CIOs to be principally responsible for IT security in most companies. (CEOs take note, however: 20% of global CIOs thought the CEO was ultimately responsible, especially in smaller companies – better dust up on your CISSP training.)

Given that the CIO is, in theory, the most knowledgeable on the IT security measures in place for a company, you would expect the responsibility for the management of IT security to reside with him or her. This explains why almost half, 47%, thought that the CIO should be responsible for the security function, even if they currently aren’t.

Now, let’s take into account newer working practices and business models coming into play. From virtual offices and remote access to sensitive information to the Bring Your Own Device (BYOD) trend entering the workplace, the CIO increasingly has to contend with ever more complex security measures, which means their areas of responsibility expands accordingly.

Looking across geographies, some countries have already recognized this. For instance, according to our research, more than one in five CIOs in the Nordic region believe that end users should be left in charge of their own security. Therefore, it is up to the individual to ensure security measures are enforced when accessing the IT network or using IT systems for work matters. While I understand that there is a higher acumen for all things technical way up North, this still baffles me personally. This goes hand in hand with the result showing that the CIO’s influence is lowest in the Nordics (24%) compared with France, where the CIO’s influence is highest at 70%.

(This also helps explain some of the cultural reasons behind Nordic empowerment or Nordic Openness but could also form an entire research project in itself.)

So, there is a key trend here that we (and CIOs globally) cannot ignore. The rise of complex IT working practices, ubiquitous technology use across all markets and the need for security measures that the individual can also embrace. Convenience and security in tandem are key – passwords cannot ever provide enough security, which CIOs should know but need to evangelize; strong authentication is better; but all IT security measures need to be scalable to evolve with these new technologies and trends. Only then can CIOs protect themselves from the consequences they will face should their responsibility fail.