Wednesday, 3 December 2008

Who has the responsibility?

AppGate has many customers in the defence space, and one thing that you can say about those customers, they know a lot about delegation of mandate. They know who is in charge and they know how to give orders (and how to get people to follow them), A soldier has less power then a general but on the other hand a general has more responsibilities.
Take a moment to think about who is responsible for Information Security in your organisation. Is it the IT-department that builds the solution, security department that writes polices or the management who is responsible?
In my way of thinking there is an easy answer to the question: it is always the management. The problem is that they seldom understand that responsibility. Therefore we from the IT side need to build tools for them to understand which decision that has to be made to achieve the right level of security. That is our responsibility. If we do not get the right attention (or funding) it is our fault, not theirs.
Who is not responsible? There is a simple answer to that as well: the users. We cannot expect them to take the right security decisions. That is why we have a door that closes automatically behind people, for once in a while they forget to close the door.

No comments: