IWC and the History of its ISSO

At one time, IWC had only a professional physical security program made up of alarm systems, badge readers, and a guard force as the IWC asset protection program, while the information systems protection was an additional responsibility assigned to the IWC Information Technology Department. The IWC executives determined that they needed a professional ISSO and organization to meet their ever-increasing security requirements as they expand worldwide and mature as a corporation. Furthermore, they saw the need for a CIO to "get a handle" on all information processes and needs within IWC.

It should be noted that IWC's executive management agreed that an ISSO position should be established, and the ISSO hired should establish IWC's CIAPP and also establish and manage the InfoSec organization. However, there was not complete agreement as to where in IWC the ISSO reported.

Some members of IWC's executive management suggested the CIO, while others suggested that the ISSO report to the Executive Vice President of HR. They argued that placing the ISSO with the corporate security organization under HR was logical because it was mainly about people.

Other members of executive management recommended that the ISSO report to the Director of Auditing. However, the Director of Auditing advised that the auditing department was strictly responsible for determining IWC's compliance with applicable state, federal, and international laws, and company policies and procedures. The director felt that the auditors' limited scope and functions would adversely limit the ISSO in establishing and managing a CIAPP. In other words, like most auditors, they wouldn't want any part of that responsibility, since it is one that usually takes the blame anytime something goes wrong. The Director of Auditing also argued that it may be a conflict of interest for the ISSO to establish corporate InfoSec policies and procedures, albeit with management support and approval, while at the same time having another part of that organization (the audit group) determine not only compliance with the InfoSec policies and procedures, but also whether they were adequate.

The ISSO and the corporate security department was also considered for inclusion lower in the bureaucracy under the Information Technology Department (IT), since IWC was an information-based, high-technology-supported corporation whose major assets were computer-based. The reasoning was that the majority of assets that required protection were IT-supported. Furthermore, since as of this time, the InfoSec organization was under IT, it made sense to keep it all under IT. However, the Executive Vice President of IT objected and in fact offered to move the InfoSec organization under the corporate security department as long as IT was in the coordination loop for InfoSec matters that affected the IT department. That offer was tabled pending the hiring of the ISSO. They reasoned that the newly hired ISSO could meet with each department head to determine where the InfoSec organization would best fit in.

Also considered for the "home" of the ISSO and the InfoSec organization was the Finance Department or Legal Department, both reporting directly to the CEO. Both of these were not considered "practical" by the Vice President of Finance, the Director of the Legal Department, and the CEO.

A survey was taken of other corporations similar to IWC and it was determined that the majority of the InfoSec organizations in those corporations were part of the IT departments. Subsequently, at IWC an executive was hired and a newly formed department was established and led by a CIO. This new department was established because executive management concurred with the recommendations of a consultant that IWC's information must be managed in a holistic manner and sensitive information must be protected regardless of its environment—on a computer, hardcopy, transmitted by fax, telephone, PDA, or the like. Therefore, at IWC someone should be in an executive position in order to "get their arms around" the entire information issue. Thus, it was finally decided that the ISSO position and organization should be established under the CIO. It seemed a logical place since the IT department was also under the CIO.

An ISSO was hired; however, because of the lack of progress in developing a CIAPP, and the loss of some valuable corporate assets, the ISSO was fired and the new ISSO was hired. The new ISSO, during the interview process and again after being hired, determined what caused the ISSO position to be formed and why it reported where it did in the IWC organizational structure. The new ISSO's understanding of how this position ended up where it did provides some clues as to the feeling and inner workings of IWC's management vis-a-vis the ISSO and the CIAPP. This information will be useful when the ISSO begins to establish IWC's CIAPP, and when the ISSO requests support from these corporate executives. It also provides the ISSO some insight into what type of support might be received from these executives. The circumstances surrounding the firing of the previous ISSO also helped the new ISSO understand what must now be considered the number one priority: the establishment of the baseline IWC CIAPP.

As an example of the use of this information, the fact that no major departments within IWC wanted the InfoSec responsibility could be leveraged. Those department heads may not mind supporting the ISSO and the CIAPP, but they do not want to have too much responsibility for that effort. This provides the ISSO the possibility of being a strong leader without concerns that the departments identified would want to absorb some of the InfoSec functions into their departments. Thus, a more centralized, ISSO-directed CIAPP can probably be established. As with any position within a corporation, office politics always plays a major role; so do the informal information channels, such as the flow of gossip. The ISSO, to be successful, must understand the game of office politics, power, and "back-channel" information flows.

Furthermore, it is clear that the Director of Auditing would support the CIAPP from a compliance audit standpoint, but would probably not want to join an IWC CIAPP team with the responsibility for writing the new InfoSec policies and procedures. As the ISSO, you must keep this in mind when you decide how to establish InfoSec policies and procedures, and what departments should be involved in what part of that development and "buy-in" process.