All I can say to this is, 'bout time:
IT directors will play a dramatically reduced role in working with security professionals, says the Information Security Forum, which has issued a report that outlines how businesses' view of security is evolving. Chief risk officers, chief security officers and chief operation officers will be more involved in security strategy, according to the ISF. The change is fueled by Enterprise Risk Management and companies' increasing vision of merging physical security with information security, reports the ISF. Network World (07/31)The downside of the above is that information security requires highly technical solutions and so either security talent has to migrate and disperse into IT organizations (not a bad thing) or strong ties between infosec talent and IT have to remain, or perhaps both. Otherwise infosec becomes all high level strategy with extremely poor execution. The Network World article goes on to say:
less than 3 out 10 information security professionals believe they are focused on delivering solutions to the business.When you hear people talking about information security enabling the business, this is what they are talking about. The goal isn't simply to prevent or reduce risk. It's to enable the business to move forward with opportunities but with a tolerable level of risk. To do that you have to come up with creative solutions-- finding ways to say yes instead of no.
Davies points out that there is currently a large increase in information security professionals reporting to chief risk officers (CRO), chief security officers (CSO) and chief operation officers.Infosec stepping away from IT makes it more difficult to build trust and alliances at the worker level which is crucial in building a security culture where IT personnel help the security group rather than avoiding them. Appointing infosec point of contact within various IT organizations can help.
The upside of this move outside of IT is that the struggle between sometimes opposing goals of IT and Infosec can happen at a higher management level where it often belongs. Infosec can gain a bit more authority, to be weilded very carefully, of course. This arrangement also gives the proper business focus to security groups and provides better visibility of security issues to upper management.