Home > Information Security Magazine > Features > The evolving role of the CIO involves IT and security responsibilities
EMAIL THIS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

The evolving role of the CIO involves IT and security responsibilities
by Amy Rogers Nazarov
Issue: Jan 2009
printer-friendly
< PREV PAGE   |   1  |   2  |   3  |   4  |   NEXT PAGE  >

NEW HEIGHTS
At retail giant Target, recent changes to top management's responsibilities around security reflect a push to elevate some infosecurity matters to a new level of business criticality.

Over the last couple of years, "we made the decision to treat corporate compliance, fraud prevention and other areas primarily as business risks, then as technical challenges," says Tony Heredia, vice president of corporate risk and responsibility at the Minneapolis-based company.

Target's size and scope drove the changes. Given the array of industries the company straddles- retail, financial services, health care-the company found itself "pulled in recent years in different directions around regulations, from PCI to HIPAA to GLBA,"Heredia says. "We needed to find a way to address all of these risks."

Thus some issues related to security standards and governance now live in his group's purview, while Beth Jacob, Target's CIO and a peer of Target's general counsel-to whom Heredia reports-continues to oversee the technical aspects of the company's information security strategies.

As an example, Heredia points to ongoing efforts to shape employees' security-related behavior, such as educating them about why keeping passwordcovered sticky notes on or near their computers is...



a bad idea. While this task had once been handled by those on the technical side of the house, it's now considered part of standards, governance, training and enforcement, all of which Heredia and his staff ultimately oversee.

In shifting duties around, "we took our time," he adds, noting that technical and organizational changes designed to address new ways of managing risk have been phased in over the last two years.

REPORTING STRUCTURE
Given that each organization needs to consider myriad factors-from its size to the regulations it faces to its security or IT head count-Enterprise Management's Crawford suggests that it's often best when security personnel report directly to the CEO rather than to the CIO.

"You don't want to have the person who is supposed to be keeping tabs on doing the right thing reporting to the group they are supposed to be keeping tabs on," he says.

At Rockford Construction, Partridge reports to the vice president of operations, who reports to the executive VP, who reports to the CEO. He is optimistic that his influence will grow over time.

"Management is still trying to figure out where I really fit into the organization," he says. "It would be good to have IT and information security in a more strategic, less reactive arrangement."

< PREV PAGE   |   1  |   2  |   3  |   4  |   NEXT PAGE  >





TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts