This is a dissent to the prevailing organizational trend surrounding placing Information Security(InfoSec) workers outside of the control of the Information Technology (InfoTec) department. I recognize I was asked to create an organizational memorandum relaying the development of our new Enterprise Security Policy, but I cannot in good conscience do that as I believe that by removing our InfoSec department from our InfoTec department, we are violating the very spirit of the policy we seek to develop.
Two years ago, after a heated disagreement with our Chief Information Officer, my Information Security department was removed from the InfoTec branch of the company. Along the months, our CEO has tried many restructures of the InfoSec department, putting us under the purveyance of the security department, the administrative department, the insurance department, and the planning department. Although we learned very valuable skills that related to Information Security from each of these fine departments, every single move placed us further away from making effective change.
Security needs to be a grass roots effort, not implemented by policies written months ago by officials in the insurance department. While I firmly believe that every employee is an Agent of Information Security, I also believe that needs to ring double true for the entire Information Technology department. This is because your InfoTec department is the single most attackable area in the company. Like the epidermis of the organization, our technology department is in charge of the policies of everything from our email to our website, our databases, to our developing technology. If we are subject to any sort of digital attack, it will pass through the purveyance of our technology department.
So again I posit, the place of Information Security needs to be at the front line with Information Technology. Just as our factory workers grumble about OSHA breathing down their necks, we know they are there for a good purpose, and would not be nearly so effective if they conducted their audits from the comfort of the accounting department.
From this position of unity, the InfoTec and InfoSec department could make a thorough Security Policy that addresses the Enterprise problems of tomorrow, instead of attempting to reign in the obsolescent practices of today. Problems that wouldn’t exist, if InfoSec existed on the lowest level of digital operations.
After creating a skeletal security policy with the CIO, we would consult with the planning department in an attempt to align our Enterprise Security Policy with the aims and goals of the company, and consider the risks that might accompany those endeavors.
Taking our fleshed out Security Policy that aligns with our corporate vision, we develop it further by running it past our Insurance and Risk Management department, that can confirm the assessments gathered after consulting with the planning department.
Finally, we take the triple checked security policy to Administrative Services, to speak with Human Resources and Physical Security to ensure the rough draft of our Enterprise Security Policy is both ethical and feasible. Given the go ahead by Administration, we would present the Enterprise Security Policy to the CEO, for future implementation.
None of this would work without the close working relationship of InfoTec and InfoSec. By rejoining these departments, we would put our planning and development teams months ahead of our current schedule, as they would have firsthand institutional knowledge of the operations of the Information Technology department, and would best know how to answer the issues that exist, and are likely to exist in the future.