Status and Turf Issues
Another measure of cooperation can be gleaned from examining those elements that can potentially foment enmity, namely inequities in pay and authority. Any student of organizational dynamics or social psychology will recognize these classic “hot button” issues.
While the survey did not gather information about average salaries for both departments, Thomas Hoffman, a reporter for Computerworld, has reported that IT department heads earn about twice as much as security managers. The implications of this disparity are palpable. The questionnaire did, however, address the second element, status. The gap in status between IT and security is more than 300 percent.
♦ 53% of the respondents reported that IT has a higher rank or status in their com-pany,
♦ 31% stated that the department heads are equal in rank
♦ 16% said that security has a higher rank or status.
In corporations, status is often determined by who someone reports to. The higher up in the hierarchy that the reporting occurs, the higher the status of the subordinate. The results for IT department heads are the following. They report to:
♦ 27% CEO
♦ 26% CFO
♦ 18% COO
♦ 11% Vice President
♦ 04% HR
♦ 04% General Manager
♦ 02% President
♦ 08% Other (legal, facilities, CTO, CIO)
Security department heads report as follows.
♦ 18% CEO
♦ 12% COO
♦ 12% Legal
♦ 12% Facilities/Engineering
♦ 10% CFO
♦ 09% HR
♦ 06% Vice President
♦ 21% Other
In large corporations, about 73 percent of IT department heads report to top level management, whereas only 40 percent of security department heads do. A lot can also be learned by the titles that are bestowed on company leaders. The heads of IT departments have the following titles.
♦ 31% Manager
♦ 26% Director
♦ 12% CISO
♦ 12% CIO
♦ 08% CTO
♦ 08% Vice President
♦ 04% CSO
Security heads, on the other hand, have these titles.
♦ 57% Director
♦ 20% Manager
♦ 11% CSO
♦ 08% Vice president
♦ 01% Assistant vice president
♦ 02% Other
What can we interpret from this data? The inferences are debatable depending on one’s understanding of the intrinsic status implications of a title. Not everyone would agree that the title “manager” is generally perceived to have lesser rank than “director” or that the prefix “chief” connotes a top level leadership position. For the sake of the argument that these statements are true, 36 percent of IT heads have top management titles, but only 11 percent of security heads do—a difference of over 300 percent. This, of course, also bolsters the commentary about disparity in salaries.
Some of the leading security systems and software were created ten to fifteen years ago at a time when the Internet was in its early ascendancy and few used the term “hacker.” Security software wasn’t designed with firewalls or any other countermeasure because they weren’t needed.
Security departments were asked if they believed that the following statement were true or mostly true. The results are eye-opening.
♦ 49% indicated that their systems are periodically examined by the IT department in search of vulnerabilities. That is a low percentage for today’s cyberthreat environment.
♦ 43% reported that their systems were developed by the vendor to be protected against IT attacks. The converse is startling. About 57% were not designed with cyberattack countermeasures.
♦ 43% stated that they use equipment that monitors if ports are being attacked or scanned. The majority do not.
The survey also queried whether security department systems would be vulnerable if the company IT network was infected with a virus.
♦ 40% said that they would be vulnerable.
♦ 40% thought they would not be vulnerable.
♦ 19% indicated they didn’t know.
Restated, 59 percent of the responding companies thought they would be either vulnerable if their network was penetrated, or they didn’t know. When asked if the security department had been infected with a virus in the past, 10 percent said yes.