By Thornton May
Futurist, Senior Advisor with GP, Executive Director & Dean - IT Leadership Academy

There is a lot of money being spent on information security [Infosec] these days. The e-mail encryption market is anticipated to grow 23% a year till 2020. Spending on data security is expected to grow 9.8% a year till 2021 when total spending is forecast in the $202 billion range. The cost of data breaches is forecast to increase to $2.1 trillion globally by 2019, almost four times the estimated cost of breaches in 2015. One of the questions facing organizations today is “where should Infosec go?” Where should the information security organization and the Chief Information Security Officer [the CISO] be placed on the organizational chart?

Where is Infosec Located Today?
Historically, information security has been placed in the IT department with the CISO reporting to the CIO.

In Telecommunications?
Some believe that security begins at the network/on the network. “All the networks, current and future information systems, must be secured to preserve privacy and the proper operation of the online economy.” For this reason, some believe that Infosec should be a part of the telecommunications group.

In the Office of General Counsel?
Because companies are legally obliged to implement certain security standards and to process personal data only in accordance with certain principles, some believe Infosec should be placed in the Office of the General Counsel. Ensuring a high level of security for personal data, systems and networks is a legal requirement in Europe and in many other parts of the world. There are increasingly steep fines associated with the misuse of customer data. There is a definite “compliance component” to many Infosec activities.

In the Marketing Department?
Because the capture of customer data lies at the heart of the business models of the most successful firms today, some believe that Infosec should be part of the marketing organization.

In the Product Development Department?
Organizations of all sizes across all verticals are using new digital tools to be productive and create competitive advantages. The digitization of our world helps create new kinds of opportunities. Infosec needs to be built into every new product and service.

In the Risk Management Department?
A digitized world presents new types of risks. Some believe Infosec should be part of the risk management organization.

In the Operations Group?
Because the security model must be end-to-end and incorporate all of your digital content and data points, some believe Infosec and the CISO should report to the Chief Operating Officer.

In the Accounting Department?
Someone has to figure out what all this data is worth. For this reason some believe Infosec and the CISO should report to the CFO. Daily and periodic methods and routines on the part of the person and company [i.e., audits] need to be conducted to ensure that laws are being complied with and information risk is being mitigated.

In the Purchasing Department?
Some believe security problems could be prevented if the organization only bought products/services with security built into them. For this reason perhaps Infosec should be located in Purchasing.

Where do you think Infosec should go?