Reporting lines.
The classic discussion came up again recently of where an ISO should report in an organization. One school of thought says it should be in IT; the other says it should be outside IT and as high up the food chain as possible to achieve objectivity and authority.
I’m pretty clear on where I think it should be: in IT. I think the people who believe it should be elsewhere aren’t IT people themselves and think IT security is all about policy. It isn’t.
You don’t just pronounce policies from on high and wait for them to be implemented. Often you have to help engineer the solution for the implementation, explain to the sysadmins or developers exactly how to do what you’re requesting, and check their work. You have to be able to conduct investigations on the ground.
Most importantly, though, you are extremely dependent upon the goodwill of the sysadmins, network people, and everyone else who actually runs the infrastructure. They are the first line of defense, and they are your greatest source of intelligence info. If you don’t have a close working relationship with them, you’ll miss finding out about a lot of security incidents—especially insider activity, where the only reason it’s detected is that someone was very familiar with the normal behaviors and knew something was out of line.
You won’t have the trust of the IT people if you don’t work with them, among them, and (where possible) for them. You help come up with tools to make their lives easier, and they’ll help you in return. Many times I’ve had a first-level technician sidle into my office, close the door, and say, “Um, there’s something I think you should look at.“ You won’t get that if you’re in the C-level wing of the building.
The only time I can see reporting outside of IT is if you don’t have a supportive management chain, and therefore can’t get any policies or work implemented without being right next to the Top Hammer. But that’s an indication of a bigger problem within the organization, and reporting there shouldn’t be the default. (And for crissesake, don’t make the ISO report even further out of the organization, say to an external oversight group. That would just be the Kiss O’ Death for getting anyone to talk to you, much less do you any favors.)
Posted by shrdlu on Monday, November 20, 2006(3) Comments • Permalink •
