The CIO as Chief Security/Privacy OfficerBy Ted DeZabala | Posted 10-21-2009
Do you spend your days worrying about server capacity, application availability and website uptime? As the traditional realm of the CIO, these topics are certainly worthy of attention.
But it may be time to delegate responsibility to one of your senior deputies so you can focus squarely on the most pressing issue of the day: security and privacy.
With intellectual property boundaries overrun and information borders trampled, with data morphing and migrating freely, and with the lines between customers, vendors and your company become increasingly blurred, a multidisciplinary approach to security and privacy--one that has various groups in your organization working in concert--becomes increasingly essential.
As CIO, you have a unique opportunity to seize ownership of the issue, to spearhead a collaborative approach that engages other c-suite executives, the board, business unit heads and functional leaders.
We believe that providing leadership around security and privacy will be one of the most critical responsibilities of the 21st century CIO. Indeed, the ability to serve as a catalyst to bring about fundamental, systemic change calls for the skills, credibility and respect that few other can muster.
In recent years, many IT functions have become ensnared in a no-win situation in terms of security and privacy. Two factors have contributed to this dilemma:
1. Technology functions are burdened by the belief that security and privacy are primarily IT problems. According to a recent Deloitte survey, nine out of 10 respondents--all top executives at Fortune 1000 companies--expressed this viewpoint.
2. IT is hindered by unrealistic expectations. Since security and privacy are viewed primarily as IT problems, many believe that IT alone should provide the solution.
This is a perilously skewed view. For example, consider the impact if similar thinking were applied to the human resources function. At most companies, employment policy development and employee paperwork processing are the responsibility of HR. But due to practical considerations, activities such as direct supervision, performance reviews, job assignments and other responsibilities must be executed by people outside of human resources. Without this sharing of duties by the entire organization, the HR function would cease to function.
The same principle applies to security and privacy. In a borderless enterprise, it is no longer possible to "lock the file cabinet." At the same time, strong password and advanced encryption tactics, while important, are insufficient. Today, security and privacy concerns cross organizational boundaries to become everyone's responsibility.
That's because, at its core, security and privacy are business issues, not technology issues--a counterintuitive message that must be convincingly delivered, first to the board and your c-suite counterparts, and then throughout the organization. Your colleagues must realize that if your company focuses primarily on technology as the solution, progress will be slow and setbacks frequent. Conversely, if your organization approaches security and privacy as a business issue (or a customer issue, or a stakeholder issue), and if the process purposely involves the people who normally deal with such issues, then solutions will be more readily attained.
No one could credibly deny that IT has a significant responsibility for security and privacy, but care should be taken to distinguish enablement from execution. The fact is, IT alone cannot solve the problem.
Perhaps it's ironic that this message must come from you, the CIO--an executive whose role is often deemed synonymous with technology. But we consider the messenger as important as the message. No one but you has the authority to deliver it.
Ted DeZabala is national leader of the Security & Privacy Services practice at Deloitte & Touche LLP. The views in this article are those of the author and do not necessarily reflect the views of Deloitte & Touche LLP.