Information security function: Optimum reporting and organization structure

Abstract

This article addresses two common questions on the mind of most organizations. One is where the information security function should report within the organization and the second is what the right title of a person who is leading the information security program should be. This article also discusses typical activities performed by a security organization and links these activities to the Institute of Internal Auditor’s model of three lines of defense.

Additional information

Notes on contributors

Sajay Rai

Sajay Rai, CPA, CISSP, CISM, has more than 30 years of experience in information technology, specializing in information security, privacy, network architecture, business continuity, disaster recovery, IT audit and information risk. Mr. Rai is the Founder and CEO of Securely Yours LLC. Prior to starting Securely Yours LLC, Mr. Rai was a Cyber Security and Risk Partner with Ernst & Young LLP for 10 years. Mr. Rai also worked with IBM for 13 years, most recently serving as an executive of the national Business Continuity and Contingency consulting practice. He was instrumental in starting the company’s Information Security consulting practice. Mr. Rai co-authored three books titled “Security and Auditing of Smart Devices,” “Sawyer’s Internal Audit Handbook 6th Edition” and “Defending the Digital Frontier – A Security Agenda.” Mr. Rai is a member of IIA’s Global Technology Committee and has co-authored several Global Technology Audit Guides.Mr. Rai also serves on the board of ISACA Detroit Chapter, IIA’s Detroit Chapter, Society of Information Management (SIM) Detroit Chapter and as a member of Walsh College’s Accounting Advisory and Technology Committees. Mr. Rai is a regular speaker at industry conferences on information security, business continuity, disaster recovery, and technology strategy and is frequently quoted in magazines and newspapers.Mr. Rai is an adjunct professor at Oakland University in Michigan and teaches Cyber Security classes. He can be reached at [email protected]

Philip Chukwuma

Mr. Chukwuma is the CTO of Securely Yours LLC. He has over 20 years of experience in Information Technology, information security, privacy and business continuity. As a CTO, Mr. Chukwuma sets the strategy of technical security solutions for our clients. His expertise is in the area of mobile security, identity and access management, network architecture, disaster recovery planning and security architecture.Prior to joining Securely Yours, Mr. Chukwuma was with Ernst & Young LLP as a Manager in the Risk Advisory practice. He worked on several engagements in the area of IT Security, Identity and Access Management, ERP Integrity, SAP Security, Segregation of Duties (SOD), and Infrastructure Management (Problem, Incident, Change, Event Management, Active Directory, UNIX, etc.). He has served in many industries including higher education, automotive, financial, manufacturing, and oil & gas.During his career, Mr. Chukwuma has led several engagements as an Architect, where he has invented ideas to streamline the implementation of security solutions. He has developed several tools related to IAM and SAP, which has saved his clients time and money. Mr. Chukwuma has extensive implementation experience in the area of Information Security and ERP systems.Philip received a bachelor’s degree from the University of North Texas in Denton, and his M.B.A. from the same University. Philip is also a Certified Information Systems Security Professional (CISSP).