Archive for August 2009

Should CISOs own operations, or just policy?

August 20, 2009

Things have been quiet on the blog–August is a quiet month at IREC like most other places!  Here’s a quick thought just in time to avoid a full month of no posts.

Information risk groups typically have grown out of the IT security operations function within IT infrastructure operations. Looking at it this way, you might expect that as the Information Risk function matures and leaves behind its roots, it is more likely to become a “Policy Only” function and leave the actual operational duties to IT infrastructure.

This does not seem to be the case, in fact it’s the opposite. We have surveyed our membership at least once a year for the past four years about whether they are “Policy Only” or “Policy and Operations” (very few are “Operations Only”). The trend is clear–fewer and fewer are “Policy Only” (N>50 for each year):

Policy shop trend

While we have not directly set out to determine why this is, we did have a very interesting result from a recent measurement of control maturity. The Information Risk groups that do have ownership of operations have a statistically significant higher level of control maturity:

Policy shop maturity

This is correlation, not causation, but it is useful food for thought. We’d love to get some reactions to why one set of responsibilities is better than the other.