The IT Policy Compliance Group (IT-PCG) has issued a new report (members only) on the "Best Practices for Managing Information Security." The report shows a strong indication for the benefits of having someone senior managing IT security.
Specifically, the report indicates that a CISO or senior IT security employee who reports to a C-level manager has the best corporate outcomes in all terms. Those include customer retention, revenue / profit, least data loss, lowest cost as the result of data loss, lower IT failure downtime and lower audit costs.
Overall this report would seem to indicate a positive ROI for having someone manage IT security. The report also looks at the strategies for managing security that have been most successful for the organizations involved in the survey. It's an interesting study into methods that may help improve customer retention and lower overall organizational costs.
Much of the time we talk simply of police or of technology but rarely do we touch on the importance of people to the IT security process (though we often consider the importance of training in the 'people' aspect).
Image: xenia / morguefile