One thing I notice while doing information security work is that organizations tend to segment IT responsibilities into separate departments or areas of responsibility. There will be employees or groups responsible for networks, applications, servers, desktops, databases, help desks and information security. This is perfectly understandable given the complexity of handling even modestly-sized information systems. Such specialization allows individuals or groups to concentrate on their areas of responsibility and become efficient and expert in their specialties.
However, this very segmentation of duties usually has a big downside for information security at such organizations. The problem is that for an information security program to be successful it must be managed in a holistic manner, accounting for and amalgamating each mechanism and process in the entire program. If not, neglected systems or systems that are misconfigured for the environment occur and suddenly there are exploitable security holes in the network. And like a dike holding back the sea, just one hole can lead to disaster. That is why it is imperative that each IT function be fully aware of what all the other IT functions are doing. In other words, they need to communicate among themselves in an inclusive and professional manner.
Unfortunately, human weaknesses such as ego, hubris, complacency and ignorance come into play when trying to facilitate such intercommunication. Often in the organizations I’ve worked with, the information security department is well aware of the problems I detailed above but are helpless to correct them. This is because IT security departments are usually treated like poor relatives by the other IT departments and senior management. They just don’t have the clout needed to get their programs and processes implemented in an effective manner. To other IT departments and management, information security processes are just a roadblock to functionality and a drain on the budget.
Or perhaps, even if IT and senior management are interested in backing information security, the corporate processes in place for requesting and implementing changes to network systems and processes are so ponderous and full of contention that they lose all effectiveness. It may take weeks or months to implement one simple policy change for example.
That is why I champion the need for a C-level individual (or group) to deal with the problem. I would call them information security coordinators or something similar. Their job would be to bring departments together to discuss what they do and how it could affect the security of systems and information. It would also be their job to coordinate this information and identify holes in the information security program. With C-level authority, they can then better remediate the identified problems without undue bureaucratic entanglement or having to deal with rice-bowl mentality. One thing I learned well when I first started in this profession is that without senior management backing and approval, an information security program is going nowhere!