Dissonance between IT and security management.
Mark Brewer wrote a thoughtful post on Risk in IT – I liked his use of the term “resilient organizations”, although I have been using the term “robust organizations”. The semantic difference between robustness and resilience may be related to the difference between IT and security management world-views.
“Risk in IT” derives from a fundamental dissonance between information technology and security –
IT management is about planning and executing predictable business processes. Security is about planning for the the unpredictable.
This fundamental dissonance often causes a cultural schism between IT/CIO and Security/CSO. In many organizations the dissonance is amplified by two additional factors – a) splitting of physical and information security into two separate operations silos and b) external regulatory compliance.
Compliance as it pertains to security, finance and IT is often conveniently boxed into politically safe silos. OP (organizational politics) is not a bad thing, but multiple risk silos results in multiple and usually redundant costs. In addition, compliance results in the management board adopting policies that are not organically their own – which is dangerous in its own right.
The short answer to these issues is that security needs to build into (not bolt onto) the business strategy and business process itself.