« Aligning Your Awareness Program With Business Goals | Main | Defining the Value of Security During the Current Economic Downturn »

July 31, 2008


Dr Walt Foultz

I would hope this conversation has been conducted in many such enlightened organizations over the recent months. It is now obvious to every family member in every household in the US that security is a bigger concern today than at any time in our history. The impact of inadequate security is becoming more noticeable and problematic with each passing day and with every new publicized security breach.
Who the top security official should report to, will probably never be cut in stone as it could vary depending on the business or type organization being protected. I would recommend a few things to consider when making this determination however. They are:
1. How serious are you about security? Not the political words you are required to say, but are you willing to give this person and function real authority? If not, it really doesn’t matter what the reporting structure is.

2. Who in the organization has the most to lose if security fails big time? They are probably the person security should report to.

3. If you ever ask yourself what return on investment you can expect by having good security, then you are not ready to have good security. Good security may well bring in more business and keep the business you have, but a return on investment should never be the primary goal.

4. Security, especially good security is expensive. In this field you get what you pay for.

5. Lastly, I think universities offering MBA programs should alter their curricula to include a required course on security in the business environment overall, but especially information security. If we are to expect businesses to be run more effectively by MBAs, then they should be academically informed of this increasingly important business function.

The comments to this entry are closed.