IT security often stands a better chance of being listened to by the business if it’s located outside the IT department - according to chief security officers meeting in a recent Corporate IT Forum security workshop.

Security chiefs taking part in the wide ranging debate reported that when Information Security ‘sits’ within IT, it can mean that business managers - often unfairly - perceive that security professionals are too close to their IT colleagues.Being seen to be too close can lead to business managers worrying that objective decisions - especially around in-sourcing and outsourcing options - become subjective and personal.

Whilst close and constructive links will always be needed between IT and Information Security, many CSOs consider that where possible, Information Security should not report into the CIO.

Where unavoidable, security chiefs recommend clear and unambiguous walls between the two departments and a clear definition of the two disciplines.