Should CISOs own operations, or just policy?
Things have been quiet on the blog–August is a quiet month at IREC like most other places! Here’s a quick thought just in time to avoid a full month of no posts.
Information risk groups typically have grown out of the IT security operations function within IT infrastructure operations. Looking at it this way, you might expect that as the Information Risk function matures and leaves behind its roots, it is more likely to become a “Policy Only” function and leave the actual operational duties to IT infrastructure.
This does not seem to be the case, in fact it’s the opposite. We have surveyed our membership at least once a year for the past four years about whether they are “Policy Only” or “Policy and Operations” (very few are “Operations Only”). The trend is clear–fewer and fewer are “Policy Only” (N>50 for each year):
While we have not directly set out to determine why this is, we did have a very interesting result from a recent measurement of control maturity. The Information Risk groups that do have ownership of operations have a statistically significant higher level of control maturity:
This is correlation, not causation, but it is useful food for thought. We’d love to get some reactions to why one set of responsibilities is better than the other.