Why Have a Dedicated Information Security Officer?

In my travels over the last few years performing audits and security assessments in a variety of industries, almost all of them have questions about the role of security in the organization. Although size plays an obvious role in determining the size and scope of a security team, there are three examples that we see over and over again in terms of security layouts. They are:

• Security after the fact – This is usually caused by a company that has grown quickly and needs to prove they have good security processes in place for customers or by regulation. This is the hardest type of organization to add security into, because all staff have established roles, and security is seen as something that will slow down workflow and have a negative effect on the bottom line because it costs both time and money to implement.
• Shared security – This is the most common example we see out there. In this scenario, security is usually assigned to someone as part of their job, and it often resides in IT or compliance because of the skill sets of those positions. Security is understood as important, but there is either a lack of resources to make it a full-time position, or management feels that it doesn’t warrant dedicated time.
• CISO and/or ISO dedicated roles – One or more people have been designated as being responsible for security as their primary responsibility.  They work closely with IT and management, and they have the responsibility for building an information security program as well as making sure it is enforced.

Download a copy of our Critical Security Controls eBook Today!

More and more security frameworks and regulations require a dedicated security officer, and it is considered a best practice in all but the smallest of organizations. Although you could read a plethora of security controls to figure out why, there are some common-sense reasons that you can use to justify a position. The first is that most people, especially Information Technology staff, are concerned with keeping things running and operational. Security will always be a secondary concern over getting a system up and running to prevent the loss of service or revenue. In addition, a dedicated security professional can review not only IT security, but other important areas such as physical security (alarms, building access, etc.), vendor security (what are vendors doing with your data), and incident response (what to do in the event of a breach of security or ongoing threats).

In this day and age, security should have a seat at the executive level table, just as much as compliance and IT. As the threats to Information Security continue to evolve, having a dedicated resource is essential. To learn more about how Compass can assist your organization with your Information Security and Compliance needs, contact us today!