Who’s really in charge when it comes to security?

Last updated: 23 December 2015

In the latest of our series of blog posts looking at the results of our recent CIO research, we take a look at the thorny subject of who is ultimately responsible for information security within an organization.

Prevailing trends in technology would suggest that maintaining control of IT security is becoming an ever more difficult task for CIOs. With the vast majority of the workforce now likely to be IT literate (or at least think they are), everyone from junior executives to Chief Execs will have their own views on what activities are and are not secure. Faced with this, are CIOs being forced to cede some responsibility for security to other individuals within the organization?

Our research found the CIO remains more likely to oversee security than any other person within the business. 48 percent said they were principally responsible for IT security in their company, with the CEO being the next most influential, overseeing security in 20 percent of cases. It will come as little surprise to learn large companies are most likely to have security controlled by the CIO, whereas in smaller enterprises the CEO is more likely to take a hands-on role.

More startling was the differing attitudes between the nations polled. In France, for example, the CIO was in almost complete control, taking responsibility for security in 70 percent of companies. By contrast, in the Nordics just 24 percent of those surveyed said the CIO took responsibility within their organization and, perhaps more tellingly, more than one in five (22 percent) said they believed end users should be left in charge of their own security.

The Nordic nations are famously progressive in their thinking, and have also played a successful role in the tech boom of the last 20 years. Could their attitude towards controlling security therefore be a sign of things to come?

While there is little in the findings to suggest CIOs will lose their grip on the security function any time soon, results such as those from the Nordics do show attitudes may be changing. CIOs no doubt want to encourage their end users to experiment and engage with technology, but they must also be aware that relinquishing control could bring serious consequences.

In my view, without a top-level view of the entire IT portfolio, end users lack the perspective to make decisions on what is and isn’t safe, not only for themselves but for the entire organization. If you’re a CIO dealing with this very same quandary then do let us know your thoughts below.