Here’s an excerpt from our recent MarketInsight report – Reshaping Information Security.  This section deals with the organizational dynamics related to designing and implementing an information security program around corporate messaging.  You can download the full report here or send me an email for it.

Organizational Dynamics

Curiously, this came up repeatedly as both an obstacle and variable to consider when working to implement or design an information security program covering messaging.  One interesting point of view was that people want to report good news and that this topic, at least in the beginning, is rarely good news. 

Organizationally the Information Security function came out of the IT organization and in many cases reports to the CIO.  It was described as an “immature business function” that can have a “conflict of interest” with the CIO complicating day to day operations.  Further, security alone does not translate to risk management and, in one case, documenting the exposure for a management team was not well received because now something had to be done about it. 

Proactive companies have committees or councils whose purpose is to address the broader content and security issues facing the company and often become a flashpoint for discussions around messaging and proper governance.  These groups can include Legal, Internal Audit, Business Owners, HR, and various shades of IT.

One thing was made clear during our discussions – the more information you get, the more you must act.  So questions around who owns securing intellectual property or who is going to be the “police officer” for the organization must be sorted at this cross-functional level.  After all, it is very difficult to manage something you don’t own and we heard repeatedly that no one wanted to receive “hate mail” from the employees due to a new policy or technology control.  Ultimately, there must be consequences for those that breach the rules and the urgency and enforcement must come from the top forcing, in many cases, divisions/departments to participate.