Does a team need a captain? Does a plane need a pilot? Well, okay, maybe the second one is a bit extreme, but does an organisation really need a chief information security officer (CISO) or chief information officer (CIO)?
Several recent articles have discussed the topic in detail since it was uncovered that LinkedIn does not have a specific job title associated with information security.
My initial thought was generally the same as many others, with a "well, what do they expect?" style response to its recent password leak incident.
If you don't have someone in the organisation that is visibly accountable for security, are you surprised that a major security incident occurred? I think there are several parts to this argument, and obviously on face value that response is the most basic.
Under the security umbrella
Many of the standards in place for information security – ISO 27001, NIST, COBIT – generally refer to having a fully documented information security policy, with a senior position created to oversee and manage that policy.
Now, in my eyes, that person does not necessarily have to have the job title of CISO, or anything else as dramatic or authoritarian. They do, however, have to be in a position where they have full visibility of the affect of those policies and controls and have sufficient voice within the company to air concerns and provide feedback regarding overall company security.
Many smaller organisations cannot justify the creation of an information security team, or indeed a single post dedicated to its management. That does not mean, however, that information security is neglected.
Having a single person/team accountable for information security will go a long way to providing an adequate level of direction during the management and control of infosecurity policies
Simon Moffatt, information security consultant
Many smaller organisations, especially those with no external compliance requirement, will often use a general operational or financial team to house the main information security blue print which can cover the technical as well as physical and personnel-related security.
In many ways this works quite successfully, with the non-technical requirements given equal footing, unlike infosecurity teams focused just at the IT level, which many security/network operations centres often are.
Dedicated security officer
However, there can be no denying that having a single person (and/or team) accountable for information security, which more importantly the organisation knows is responsible for information security, will go a long way to providing an adequate level of direction during the management and control of infosecurity policies.
While having a CISO or CIO in place will not guarantee security, without one, many large organisations will surely struggle with the general complexity of interconnected technical, physical and personnel related components that make up a complete infosecurity framework.
Some industries will place a greater requirement on this than others, but once an organisation gets to a certain size (perhaps several thousand employees) the requirement for a dedicated information security officer will become too great to avoid and without one can only ever result in a higher risk of data loss, external attack and inefficient counter measures.
The case with LinkedIn is interesting. I don't doubt that it has an internal framework in place which is managed and implemented, if not owned, by a CISO job title. The mistake I think it made is more from an accountability and public relations perspective.
Bearing in mind it is an online business specialising in creating and managing professional identities – which contains vast amounts of personal identifiable information – it would seem churlish not to have a dedicated go-to person for general guidance, instruction and internal and external messaging that acutely promotes information security across all areas of the business.
Simon Moffatt, CISSP, is an information security consultant and blogger.