02 Jan When “Security is Everyone’s Job,” it is no one’s
Fragmented, improvisational, “shoot from the hip” security management is the norm in IT organizations. Security managers and their departments perform tasks with little or no guidance, other than an all-consuming desire to prepare for (ad defeat) the next technical security threat, malware or hacker.
However, the time of “jungle rules” security management is past and there is an opportunity to take back control of internal security programs. Companies that run security programs with the cost-efficiency and quality conscientiousness of a regular business unit achieve greater benefits for the organization as a whole, and reduce costs relative to performance.
Very often the disorganized and ineffective nature of security organizations is not the fault of security staff. Rather, the blame lies in a company or agency-wide misperception that security is a problem to be solved by IT. The key to a good security program is empowered management, effectively focused staff, coherent and realistic budgets, and practical metrics with which to measure success and improvement.
Quest for Utopia
Most security managers will confess that their internal security program is lacking; many will blame the CIO; others, the business unit managers; and still others whoever is holding the tight purse strings. The optimal environment, they will say, is one that is empowered by senior management, well-funded, appropriately staffed and trained and assisted by the best external consultants and advisers. In other words, a utopia.
Achieving this ideal balance is no mean feat. Ultimately, success of a security organization will be a collaboration of all interested parties: the CFO and auditors, legal staff, business unit managers, corporate and physical security teams, IT senior managers and midlevel administrators—not to mention the responsibility of employees (corporate citizens) whose awareness of a participation in a security program is essential.