Manage

Who is responsible for handling security program development in an IT infrastructure?

Security management expert Mike Rothman discusses the roles and responsibilities of those involved in IT security program development.

Securosis

I have recently been appointed to the position of ISO. Our compliance officer is currently overseeing and developing the information security program, but has no real technical background. Should program development take place within my department, or can this be a delegated duty that is monitored by my team?

It's not clear whether you report to the IT group or directly to the compliance officer, and the answer to your question will vary depending on where you are in the organizational hierarchy.

In general, the security officer's main job is to develop and run the security program. A lot of the blocking and...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

tackling is increasingly being integrated into the operational groups (networks, data center, desktop, applications) and it's the job of the CSO to evangelize the entirety of the program and persuade each of the operational managers to work together and deploy a layered security environment.

Now if you work for the compliance officer, then you are basically in charge of implementing the security program, and that's fine. But you should have a hand in developing the program as well because it's really hard to implement something you don't help build.

To be clear, I do not recommend delegating the development of the program. It's a bit wacky to think someone other than the security officer's team is better positioned to understand what needs to be protected and how it should be taken care of, and then to define program success and manage milestones.

For more information:

Learn why it's important to keep enterprise networking and security roles separate.

In this tip, Khaild Kark explains how to develop controls for people, processes and technology.

This was last published in November 2007

Dig Deeper on Information security certifications, training and jobs

All
News
Get Started
Evaluate
Manage
Problem Solve

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Information Security experts

View all Information Security questions and answers

Related Resources

Dig Deeper on Information security certifications, training and jobs

Related Q&A from Mike Rothman

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.