Once an organization has implemented their security controls, this question comes up: Who owns the security functions? Should it be IT, the audit team, individual business units, or perhaps a committee or security team made up of representatives from different departments?
In most organizations, particularly smaller ones, ownership of the security functions are assigned to IT. There is some justification for this: IT performs much of the network security functions, provisions the users of the various business systems, and runs the reports for the executive leadership team.
Back in the eighties and nineties, security audit results were viewed strictly as an IT responsibility. When there was an audit of the data center, the results of that audit were presented to the CIO and his or her organization, not to the business users, not to the COO, not to the CFO. This reasoning was flawed, because ultimately the different business units are the ones who are using the applications that are run in the data center.
These departments have just as much at stake regarding security controls on their applications as does IT. So, today, security needs to be owned by and have the commitment of the company’s executive team.
In fact, the Public Company Accounting Oversight Board (PCAOB) in the US has recommended that the boards and executives of publicly traded companies should “actively oversee governance, control, and enterprise risk management programs with cybersecurity built in.” Board members typically are not made up entirely of IT people. But if security should be discussed by a company’s Board of Directors, it should be discussed by the company’s executive team as well. The executives should understand that they all are all owners of security.
This does not mean that what IT does is not as important as was in the past. Operationally, it is still the biggest component of security. But the CFO, the CIO, the COO, the CEO, and the CISO all need to be involved as well.
Watch the interview below with Frank Vukovits as he shares these and other insights into what auditors are concerned about, then visit the Global Risk Community website for other interviews with professionals in the GRC community.
If you enjoyed this interview, watch the previous interview of Aidan Parisian, Vice President of Customer Strategy at Fastpath, by Boris on how Covid-19 has impacted businesses, and security and risk management in particular.