Almost all of our clients have questions about the role of security in the organization, regardless of industry. Although size plays an important part in determining the composition of a security team, there are three primary examples that we frequently see in terms of security organization. They are:
- Reactive security – This is usually caused by a company that has grown quickly and needs to prove they have good security processes in place for customers or by regulation. This is the hardest type of organization to factor security into, because staff already has established roles, and security is seen as something that will impede productivity and have a negative effect on the bottom line.
- Assignment of security – This is common. In this case, security is assigned to someone as part of their job, often residing in IT or compliance. In most cases this approach merely creates a new vulnerability as the person assigned the role is usually under-qualified.
- Dedicated roles – One or more people have been designated as being responsible for security as their primary responsibility, usually with the title of Chief Information Security Officer (CISO) or Information Security Officer (ISO). They work closely with IT and management, and they have the responsibility for building an information security program and making sure it is enforced.
More and more security frameworks and regulations require a dedicated security officer for the following reasons. The first is that most people, especially Information Technology staff, are more concerned with keeping things operational. Hence, security is secondary to getting a system running to prevent the loss of service or revenue. A dedicated security professional can review IT security, as well as physical security, third-party security, and incident response.
In our current threat environment, security must have a voice at the executive table. As the many threats to Information Security continue to evolve, having a dedicated resource is essential. To learn more about how Ezentria can assist your organization with our virtual Chief Information Security Officer (vCISO) services or other Information Security needs, contact us today.