Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Nov 8, 2007

Who's responsible for security awareness?

A blogger bemoaning the effect of inadequate awareness and training on mobile computing and wireless networking security asks who should be responsible for it? Why do so few organizations run comprehensive security awareness and training? The blooger seems to think the CIO, or possibly HR, should be responsible but I'm not sure about either of those suggestions. Most CIOs naturally focus on IT - as in technical - security, if indeed they take any interest in security. Relatively few HR people I've worked with have had much interest in IT, let alone information security.

No, it seems to me the blogger has created a false dichotomy, offering a choice of two inappropriate owners. The more appropriate home for security awareness is surely the Information Security Manager, especially if management are open-minded enough to ensure that the ISM role has influence right across the enterprise, rather than being buried out of sight in the depths of IT. The ISM should be working hand-in-hand with IT, HR, Legal, Risk, Compliance, R&D, Ops ... in fact I can't think of anyone the ISM can safely ignore (is there any department that doesn't rely on information?).

To have any real effect on the organization's security stance and culture, the ISM needs the full support of executive management. My reasoning goes like this:
- Security awareness is part of information security.
- Information security is part of IT governance.
- IT governance is part of corporate governance.
- Corporate governance applies across the whole organization, and is a matter for senior management collectively.
- Ultimately the CEO and the Board are accountable for information security. They have the power to prioritize it, allocate sufficient funding, mandate security policies, standards etc. The CIO is much too far down the food-chain to have teeth.