Results of a recent survey by Financial Executives International (FEI) and Gartner posted on CIO states CIOs and IT teams are falling short of CFO expectations. CFOs, who appear to be having a greater influence over IT, don’t have the confidence that their own IT organization can muster the flexibility to respond to changing business priorities.
As I read this article, I thought of how this sentiment also ties to the security of information assets. With all the breaches in the news lately, it stands to reason that doubts of IT security capabilities are coming into question as well. Today’s CIO and IT teams must be able to bridge information technology and business requirements to meet company business objectives, all while making sure security is not an impediment to growth.
We all know that new technology and the thought of building new systems usually puts a gleam of excitement in the eyes of IT folks. Unfortunately, information security is not the primary focus of these new technology implementations. Too many times, I’ve seen companies spend a lot of money on hardware and software without verifying the current state of information security and how it relates to the business environment or forward strategy. The end result is money spent in the wrong areas. In many cases, IT can actually hamper business growth by only focusing on technology. I can understand why CFOs loose confidence. IT must consider how information security plays into business objectives to create a competitive advantage over other businesses.
Because most structural IT purchases must now tightly integrate with information security, it is critical that IT not perform in a vacuum. As head of an information security consulting company, I have for years advocated that information security should not be the sole responsibility of your an IT organization; after all, ‘it takes a village.’ While I hate this phrase, it’s true in this case. An effective and successful information security program requires the involvement of the entire organization; Everyone on the same page and moving in the same direction to deliver on the business objectives of the company.
To this point, NCX strongly recommends the formation of an Information Security Steering Committee (ISSC). This committee not only provides leadership in protecting information assets and technology, they also prioritize the development of security initiatives and provide guidance on IT infrastructure and investments that affect the confidentiality, integrity and availability of critical information. The committee should include someone from executive leadership (CEO, CFO, COO), HR, IT and legal. No more than you can feed with a large pizza.
Establishing such a body will give CFOs and upper management the confidence their company’s critical information assets, desired growth path, and business priorities are being considered to achieve success.
Let me know what think.
Posted by Mike Fitzpatrick, CEO, NCX Group