Skip to the content

Performance of the security officer

We live in an era where information security is a hot topic. With one simple search action in Google I can enumerate a load of examples of information security incidents. This makes is obvious that the term Security officer is user more often. It is a good sign that organizations do acknowledge the importance of the presence of a security / privacy officer.

Many organizations do have a security officer employed but they can't give substance to this function. The security officer is employed because according the regulations they simply have to. In many cases, jobs don't have a clear description. This leads to inefficiency or it even makes is impossible for the security officer to execute the job.

Through this blog I am trying to create more awareness about the necessity of a security officer.

Problem of the security officer

What is the biggest problem for the security officer I distinguish three aspects:

1. Position in the organization;
2. Security officer must be an all-rounder;
3. Free capacity in the organization.

Three short key words summarize these problems: independence, expertise and availability.

Independence

In an ideal world, a security officer should report directly to the top management. After all, the top management carries the ultimate responsibility for internal control and information security.

Because of this, a security officer should be employed as a staff function.

Unfortunately, during our customer meetings we notice that the security officer is positioned in the line, multiple levels from the person final responsible. As a security officer you don’t want to pass your superior, which limits your independence.

Expertise
What is actually expected from a security officer? A person who can oversee all aspects of information processing in the organizations and the impact that it has on the business processes, people and third parties. The security officer should be familiar with all relevant laws and regulations. In addition, this person has a clear understanding of technical security measures and can assess which measures are needed.
Obviously, business processes shouldn’t contain any secrets. The security officer should also be able to communicate about technical issuas with higher management level and should be able to disseminate the information security policy throughout the entire organization. In brief, you have to be a jack of all trades.

It's obvious that not every company has a suitable person for the job, causing that existing functions have to be retrained. Which not always delivers the desired result.

Availability

You might think, how can I ,with my small business, employ an independent and qualified person within my organization to execute the job of security officer? With this question you immediately hit the last sore point. Small organizations often don't have the resources and capabilities to appoint the right person.

Result? The role of the security officer is being fulfilled by an existing role within your organization. This also limits the functioning of the security / privacy officer.

The solution

Obviously enough, there is no single solution to this problem. We have seen situations where a Security officer as a secondary function performs suffciently and also situations where a self-made security officer was fine. Anyhow, it's wisely to reflect your own situation and determinate how you would fulfil the role within your organization.

From our experience I would give you the following tips:

  1. Provide direct reporting lines to the responsible management, even when the function isn't filled in as a staff function. This is easy to achieve by repeated meetings. Make clear agreements with intervening management levels.
  2. If the function is fulfilled as an additional function, make sure you appoint at least two similar employee so they can compliment each other and to ensure the independency.
  3. Provide enough schooling opportunities for your security officer as permanent education.

As a final note I would like to tell you the following; very often people ask me the question; What is the ROI of such a function within an organization? The answer is: There is no return on investment. Businesses have to see the employment of a security officer as an assurance.

The role of security officer supports the management to rely on the internal controls within your organization.

Contact

Do you have a question? Get in touch with one of our IT audit professionals. We are pleased to help you.