As CIOs establish IT security controls in their own departments, they need to solidify their relationships with other parts of the business. Because of IT's increasing involvement in what were formerly human resources (HR) and legal department matters, "the CIO has a lot to contribute," says Richard Hunter, a vice president and expert on security and privacy with Gartner.
For example, although the CIO will decide which monitoring and filtering technologies to buy, what those technologies will block and search for and what the impact on employees and processes will be are business decisions that should be made collaboratively. "It's no different than a travel or hiring policy," Hunter said.
To ensure that he's able to manage Credit Suisse's IT-centric risks, CIO Tom Sanzone created an IT risk department that has forged ties with HR, legal, compliance and internal audit. The head of this department, who reports directly to Sanzone, helps determine compliance policies with the other groups and ensures that Credit Suisse is complying with governmental and financial regulations.
In addition, HR is responsible for duties such as shutting down system access and retrieving PCs and BlackBerrys when an employee leaves the company. Sanzone says that by having risk report directly to him, it elevates the department's status within the company as well as emphasises to his peers the importance of its mission.