Can cyber security and IT have the same reports?

IRJ

Essentially in cyber security you could be reporting on your bosses if you're under your IT. In CISSP and some of the other courses I have taken have said IT security should be under a different reports. How does your company handle that?

scottalanmiller

In my experience there is a mix. IT is cyber security to the users, and security is security to IT. Two different C levels.

Does that make sense?

IRJ

@scottalanmiller said in Can cyber security and IT have the same reports?:

In my experience there is a mix. IT is cyber security to the users, and security is security to IT. Two different C levels.

Does that make sense?

I think you misunderstood.

Should the departments be separated? Should the CISO be a part of IT or compliance?

Dashrender

@IRJ said in Can cyber security and IT have the same reports?:

@scottalanmiller said in Can cyber security and IT have the same reports?:

In my experience there is a mix. IT is cyber security to the users, and security is security to IT. Two different C levels.

Does that make sense?

I think you misunderstood.

Should the departments be separated? Should the CISO be a part of IT or compliance?

I'm pretty sure he said they should be part of compliance. That's the two different C levels. One C level is IT (CIO), the other C level is compliance/etc (possibly the CFO).

IRJ

@Dashrender said in Can cyber security and IT have the same reports?:

@IRJ said in Can cyber security and IT have the same reports?:

@scottalanmiller said in Can cyber security and IT have the same reports?:

In my experience there is a mix. IT is cyber security to the users, and security is security to IT. Two different C levels.

Does that make sense?

I think you misunderstood.

Should the departments be separated? Should the CISO be a part of IT or compliance?

I'm pretty sure he said they should be part of compliance. That's the two different C levels. One C level is IT (CIO), the other C level is compliance/etc (possibly the CFO).

That is what is considered best practice, but it's not always what I've seen.

scottalanmiller

@Dashrender said in Can cyber security and IT have the same reports?:

@IRJ said in Can cyber security and IT have the same reports?:

@scottalanmiller said in Can cyber security and IT have the same reports?:

In my experience there is a mix. IT is cyber security to the users, and security is security to IT. Two different C levels.

Does that make sense?

I think you misunderstood.

Should the departments be separated? Should the CISO be a part of IT or compliance?

I'm pretty sure he said they should be part of compliance. That's the two different C levels. One C level is IT (CIO), the other C level is compliance/etc (possibly the CFO).

Compliance should never be under a totally arbitrary team like finance. Especially not finance. That's just as bad as being under IT. If finance is stealing money, and they are the most likely ones to do so, they'd control their own audits!

scottalanmiller

@IRJ said in Can cyber security and IT have the same reports?:

@scottalanmiller said in Can cyber security and IT have the same reports?:

In my experience there is a mix. IT is cyber security to the users, and security is security to IT. Two different C levels.

Does that make sense?

I think you misunderstood.

Should the departments be separated? Should the CISO be a part of IT or compliance?

By definition, I feel, a CISO cannot be under another CxO except for the CEO.