Network and data security are the responsibility of everyone within the enterprise, but ultimately CIOs, or their designees, have to take charge. The task today is twofold: First, ensure no one is breaking into the companys most valuable assets, and second, assure the company itself is not breaking any regulatory laws designed to protect policyholders and stockholders.

By Robert Regis Hyle

It is every IT executives worst nightmare: The technology that powers the company has been rendered useless, either by a man-made or a natural disaster. Its enough to make a CIO wake up at night with cold sweats because the CIO is the one who is going to have to face the CEO or the board of directors and explain what went wrong. One of the biggest challenges at the CIO level is CIOs first need to understand their organizational dependency on technology, says Carol Woody, a senior researcher with the CERT Coordination Center. Which of their business functions has to have technology to exist or to be complete? And what would be the impact to their organization if [the technology] wasnt available for whatever reason? You need an effective backup plan to deal with those types of natural disasters.

Whos the Boss?

When it comes to security issues on his turf, Glenn Headley, CIO at The Republic Group, a regional property/casualty carrier in the Southwest, has to take the credit or the blame. The CIO ultimately is accountable for security in the corporation, ensuring there is appropriate data ownership, he affirms. Still, those using that data or dealing with the corporate Web site have to know their place in the world of security. We have a policy where we pass some of that responsibility back to the [business] departments, he says. We require each department to have a designated owner of its data. Those folks are the ones who must authorize access to the information. That [authorization] passes through our quality-assurance folks. They validate it with appropriate authorization to sign off access to various systems.

Headley likes this policy, which originally came down from Republics former owners, Credit Suisse. Its very reasonable, he maintains. We embraced it and moved forward. It was much easier to sell back then [in the late 1990s]. It probably would have received some resistance if we had done it without the support of Credit Suisse group. Weve continued to follow the same policies and procedures since weve taken our company private [in 2003].