BANGALORE, INDIA: One of the most important questions in today's environment is – who owns information security in an enterprise?

Is it the CIO? Or the CEO? Or everybody? Or nobody?

Well, the answer is not so simple, because Information Security is the concern of all the stakeholders in the enterprise, as it is well known.

In most of the security breaches, the finger points first towards the IT department, and obviously to the CIO. Organizations presume that the CIO is a 'know all' and is supposed to have divine powers in not only detecting breaches, but in preventing them too!

The reality is otherwise, since most of the security breaches are from within, rather than from outside. Yes, no doubt that with so much of hacking, malware, spyware and phishing going on, the threat to an enterprise's security is always on a 'red' level, especially due to the naïveté that one sees when talking of security to the management and seeing the typical response – "Oh IT Security?, my CIO looks after that!".

With IT spending on a tight leash, especially where tangible ROI is tough to quantify, IT security initiatives are either relegated to the 'we'll do it later … projects' or there is a sudden awakening when there is a massive security breach in the form of intrusion or information leakage. "Oh my God, it's happened to us? How come our CIO did not foresee this and take care of it in time?" Mostly, a proactive approach towards IT security is met by a smug 'we're well protected – meaning a basic firewall is in place', 'it can't happen to us – we're in a traditional manufacturing environment', 'our IP is well protected – the R&D department is keeping all its files in a locked cabinet'… The list can be endless.

A simple reconnaissance run inside any company can reveal a treasure trove – open computers, files being copied on removable media, personal email being used for sending attachments where corporate email systems are not allowing, password written on 'post it' notes or being spoken openly, senior's emails being accessed by their juniors – in absentia or just because the boss doesn't have time or is not email savvy, papers strewn all over the office and in dustbins – only malafide intent and a street smart technique is needed to break into such organizations and create havoc. Very often, the custodians of all this are the lower rung in the hierarchy and compromising them is no tough deal.

Therefore, the CIO can actually do only as much as he is empowered to do, or is articulate enough and equipped to do in such a scenario. It is natural to see the CIO being made the prima facie scapegoat in the event of an intrusion, information leakage or any such disaster happening in the enterprise. While the others remain blissfully unaware of the implications of their acts, it is the CIO who has to bite the bullet!

Practically if one looks at IT security, business is the owner of data and information, and hence, the responsibility of data security should lie primarily with the business function. However, it is IT and the CIO's responsibility to establish a secure technology platform, which safeguards the business interests. In this context, the most critical factor that businesses need to address is to build a culture internal to the organization, where security is ingrained in the DNA. Therefore, business driven security framework leveraged by IT has a greater probability of success and lesser chances of finger pointing.