Skip to main content

Security groups should sit under Marketing, not IT

Ok, so I'm being a little facetious, but I do think that putting Security departments under IT is a bad idea, not because they don't naturally fit well there, but because usually it gives the wrong impression and not enough visibility.

Security is far more wide reaching than IT alone and touches every part of the business. By considering it as part of IT, and utilising IT budgets, it can be pigeonholed and ignored by anyone who wouldn't engage IT for their project or job. Security covers all information, from digital to paper-based and is concerned with aspects such as user education as much as technology.

There is a clear conflict of interest between IT and Security as well. Part of the Security team's function is to monitor, audit and assess the systems put in place and maintained by the IT department. If the Security team sits within this department then there can be a question over the segregation of duties and responsibility. In addition to this, Security departments can end up competing with other parts of IT for budget. How well does this work when project budgets are allocated to one department responsible for producing new features and fixing the vulnerabilities in old ones?

The Security department should answer directly to the board and communicate risk, not technology. It is important that they are involved with all aspects of the business from Marketing, through Procurement and Legal, to the IT department. You will, more often than not, get a much better idea of what the business does and what's important to it by sitting with the Marketing team than with the IT team. Hence the title of this post.

Comments

Popular Posts

Trusteer or no trust 'ere...

...that is the question. Well, I've had more of a look into Trusteer's Rapport, and it seems that my fears were justified. There are many security professionals out there who are claiming that this is 'snake oil' - marketing hype for something that isn't possible. Trusteer's Rapport gives security 'guaranteed' even if your machine is infected with malware according to their marketing department. Now any security professional worth his salt will tell you that this is rubbish and you should run a mile from claims like this. Anyway, I will try to address a few questions I raised in my last post about this. Firstly, I was correct in my assumption that Rapport requires a list of the servers that you wish to communicate with; it contacts a secure DNS server, which has a list already in it. This is how it switches from a phishing site to the legitimate site silently in the background. I have yet to fully investigate the security of this DNS, however, as most...

Anti-Phishing Sender Verification with GrIDsure

I have tried out GrIDsure with a set of users now to see how easy it was to use. I was using the Windows client 2-factor authentication solution I blogged about here . (If you don't know their product you must read either their website or my other blog post above before reading this post as it won't make a lot of sense otherwise.) It turns out that the users had no problem setting it up and using the login - no training required other than a simple explanation of how it works. Doing this trial reminded me of discussions I had with GrIDsure about their Enterprise version of their product, which is fairly new and has more features being added all the time. One feature that I thought was noteworthy is their anti-phishing verification. Phishing, as you will know from here , is a big problem and is often spread by obscured links in emails, such as http://www.microsoft.com.phishers.org/ , which has absolutely nothing to do with Microsoft, but is just a sub-domain of phishers.org....

Bank Card Phone Scam - new version of an old technique

There is a new take on an old phone scam currently hitting people. The old scam was to pretend to be the telephone company and phone someone saying that they are about to be cut-off if they don't pay a smallish amount by card over the phone immediately. If people don't believe them they are actually encouraged to hang-up and then try to make a call. When they hang-up and then pick the phone up again it is dead. How do they do this? Well it's actually very simple - the scammer doesn't hang-up, they just put their phone on mute. The call was never torn down. So, what's the 'new take' on this scam? Well, they are now hitting bank and credit card customers. The scammers now pretend to be from the bank and start asking for card details, etc. If you get suspicious (or even sometimes prompted by the scammer themselves) you are encouraged to hang up and call them back on the telephone number shown on the back of your card. They then provide you with an extension n...