I'm continuing to cite the Fifth Annual Global State of Information Security:
Speaking of striking back, the 2007 security survey shows a remarkable (some might say troubling) trend.
The IT department wants to control security again.
In the first year of collaboration on this survey, CIO, CSO and PWC noted that the more confident a company was in its security, the less likely that company's security group reported to IT. Those companies also spent more on security.
The reason CIO and CSO have always advocated for the separation of IT and security is the classic fox-in-the-henhouse problem. To wit, if the CIO controls both a major project dedicated to the innovative use of IT and the security of that project — which might slow down the project and add to its cost — he's got a serious conflict of interest. In the 2003 survey, one CISO said that conflict "is just too much to overcome. Having the CISO report to IT, it's a death blow."
Ouch. CIO continues:
What's going on here? Johnson has one theory: "Security seems to be following a trajectory similar to the quality movement 20 or 30 years ago, only with security it's happening much faster. During the quality movement, everyone created VPs of quality. They got CEO reporting status. But then in 10 years the position was gone or it was buried."
In the case of the quality movement, Johnson says, that may have been partly because quality became ingrained, a corporate value, and it didn't need a separate executive. But the evidence in the survey suggests that security is neither ingrained nor valued. It's not even clear companies know where to put security, which would explain the "gobs of dotted line" reporting structures.
That brings us to another theory: organizational politics. What if separating security from IT were creating checks on software development (not a bad thing, from a security standpoint)? What if all this security awareness the survey has indicated actually exposed the typical IT department's insecure practices?
One way for IT to respond would be to attempt to defang security. Keep its enemy close. Pull the function back to where it can be better controlled.
Interesting. The article finishes with these thoughts:
[M]aybe security was never as separate as it seemed. Companies created CISO-type positions but never gave them authority. "I continually see security people put in the position of fall guy," says Woerner of TD Ameritrade. "Maybe some of that separation was, subconsciously, creating a group to take the hit."
This leads me to the title of my post. What if security staff is the ultimate insurance -- for the CIO? In other words, what if the CIO performs "security theater," creating a CISO position and staff, but doesn't give the CISO the authority or resources to properly defend the enterprise? If no breaches (seem) to occur, then the CIO looks like a hero for keeping security spending low. If a breach does occur (and is discovered), the CIO blames the CISO. The CISO is fired and the CIO keeps his/her job -- at least for now. I don't see a CIO executing this strategy more than once successfully.
What do you think?