The evolving role of the CIO involves IT and security responsibilities


This article can also be found in the Premium Editorial Download "Information Security magazine: How to be successful with your security steering committee."

Download it now to read this article plus other related content.

At retail giant Target, recent changes to top management's responsibilities around security reflect a push to elevate some infosecurity matters to a new level of business criticality.

Over the last couple of years, "we made the decision to treat corporate compliance, fraud prevention and other areas primarily as business risks, then as technical challenges," says Tony Heredia, vice president of corporate risk and responsibility at the Minneapolis-based company.

Target's size and scope drove the changes. Given the array of industries the company straddles- retail, financial services, health care-the company found itself "pulled in recent years in different directions around regulations, from PCI to HIPAA to GLBA,"Heredia says. "We needed to find a way to address all of these risks."

Thus some issues related to security standards and governance now live in his group's purview, while Beth Jacob, Target's CIO and a peer of Target's general counsel-to whom Heredia reports-continues to oversee the technical aspects of the company's information security strategies.

As an example, Heredia points to ongoing efforts to shape employees' security-related behavior, such as educating them about why keeping passwordcovered sticky notes on or near their computers is a bad idea. While this task had once been handled by those on the technical side of the house, it's now considered part of standards, governance, training and enforcement,

    Requires Free Membership to View

all of which Heredia and his staff ultimately oversee.

In shifting duties around, "we took our time," he adds, noting that technical and organizational changes designed to address new ways of managing risk have been phased in over the last two years.

Given that each organization needs to consider myriad factors-from its size to the regulations it faces to its security or IT head count-Enterprise Management's Crawford suggests that it's often best when security personnel report directly to the CEO rather than to the CIO.

"You don't want to have the person who is supposed to be keeping tabs on doing the right thing reporting to the group they are supposed to be keeping tabs on," he says.

At Rockford Construction, Partridge reports to the vice president of operations, who reports to the executive VP, who reports to the CEO. He is optimistic that his influence will grow over time.

"Management is still trying to figure out where I really fit into the organization," he says. "It would be good to have IT and information security in a more strategic, less reactive arrangement."

This was first published in January 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: