Manage Learn to apply best practices and optimize your operations.

Who is responsible for handling security program development in an IT infrastructure?

Security management expert Mike Rothman discusses the roles and responsibilities of those involved in IT security program development.

I have recently been appointed to the position of ISO. Our compliance officer is currently overseeing and developing the information security program, but has no real technical background. Should program development take place within my department, or can this be a delegated duty that is monitored by my team?
It's not clear whether you report to the IT group or directly to the compliance officer, and the answer to your question will vary depending on where you are in the organizational hierarchy.

In general, the security officer's main job is to develop and run the security program. A lot of the blocking and...

tackling is increasingly being integrated into the operational groups (networks, data center, desktop, applications) and it's the job of the CSO to evangelize the entirety of the program and persuade each of the operational managers to work together and deploy a layered security environment.

Now if you work for the compliance officer, then you are basically in charge of implementing the security program, and that's fine. But you should have a hand in developing the program as well because it's really hard to implement something you don't help build.

To be clear, I do not recommend delegating the development of the program. It's a bit wacky to think someone other than the security officer's team is better positioned to understand what needs to be protected and how it should be taken care of, and then to define program success and manage milestones.

For more information:

  • Learn why it's important to keep enterprise networking and security roles separate.
  • In this tip, Khaild Kark explains how to develop controls for people, processes and technology.
  • This was last published in November 2007

    Dig Deeper on Information security certifications, training and jobs

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

    Please create a username to comment.