The Name of the IT Security Game

The title of the IT Security function is a hot topic this year, as organisations contemplate possibilities for mergers to enable headcount reductions. With whom to merge, and what to call the new unit are questions at the forefront of many managers’ minds. Of course you could also try the opposite approach of embedding security activities in other functions. In fact that’s an ongoing trend, accelerated from time to time by the sweep of the pendulum swing between devolution and centralization of resources. But you always need a central coordination function, though the word coordination is to be strictly avoided as it’s a primary target of downsizing consultants.

A few leading banks have taken to merging Physical and IT Security functions. The jury’s still out on whether it’s a good idea, though I have to say that I haven’t noticed a great deal of difference. At the very least one would expect to achieve a broader vision for identity management and a more professional security response process. And it certainly simplifies the job titles. In fact the biggest challenge is finding someone to head it up with proven experience of both areas.

Some consultancies suggest a merger between Compliance and IT security. It’s an interesting, though unproven, concept. We certainly need to improve the communication between these functions, and such an approach might also encourage a more effective “closing the loop” process, i.e. actually checking that corporate standards are being followed. However the skill sets are very different and it could lead to a longer-term dumbing down of the technical capability of security staff.

Of course you can always start by re-badging your function and then building your empire from there. New titles are always a good trick for revitalizing a function and gaining breathing space from organizational politics. But what should you call yourself?

Some banks like Information Risk Management. That’s a smart move for engaging the business. It aligns with Basel 2 and sends out a clear message that business risk is the primary driver for security. The problem is the skills and experience required for Risk Management and IT security are different. You can’t put a business risk expert in charge of your sceurity architecture.

Information Assurance is very popular in the public sector but is not meaningful to commercial organisations, most of whom have little business appetite for unnecessary assurance processes. It also suffers from a great deal of uncertainty about the precise scope of the function. Does it encompass Information Management for example? There are different views about this.

Data Protection and Privacy are hot topics and growing compliance requirements, but the problem space is narrow and the solution space too broad. It makes no sense to mount an enterprise wide campaign just to safeguard one category of data. And the implied activities are surprisingly varied, embracing legal, marketing, security and administrative processes. Should you put a lawyer, a commercial person or a security specialist in charge? And the term “data” is a step back from “information”, at a time when we should be aspiring to move up the intellectual property food chain. Safeguarding knowledge or even wisdom would be a more ambitious goal.

Fashion is always a key factor in any new development. So perhaps the answer is to take a step back and track the latest trends in Google searches. I’m grateful to Andrew Yeomans, my fellow Jericho Forum co-conspirator, for pointing me to this interesting Google trend history for popular terms. Data protection wins hands down.