4:50 PM -- A representative from Vormetric, a security vendor, just sent me a link to his client's latest blog, which is now available on the Web.
In a nutshell, it says that data security should be led not by the CIO, or by the IT organization, but by the chief financial officer. Here's a quote:
No other executive is better positioned than the CFO to qualify and quantify the inherent value of data, determine where the sensitive data lives, calculate potential costs associated with breaches, and strengthen the internal control environment to ensure that all vital information remains secure. The CFO is the perfect data chaperone.
OK, first I should tell you that the blogger is himself a CFO. And if you take a close look at Vormetric's product line, it is perhaps best championed by a CFO. So let's take those factors into account before we ask the obvious question:
What has this guy been smoking?
Now, I should say that in more than 20 years of working with large enterprises as an industry reporter and consultant, I've met some incredibly tech-savvy CFOs. There are still some companies whose IT departments report to the CFO. It is clear that the CFO is usually in the best position to see which lines of business are most crucial to the corporate revenue stream, and which ones aren't. And with SOX and FTC rules, the CFO is most likely to be on the hot seat if there's any hanky-panky with the corporate data.
But should the CFO really be the leader, the "chaperone" of the IT security effort? I haven't seen many that have the experience or the training to take on a role like that. To me, putting the CFO in charge of enterprise security is like putting me in charge of fixing my own car, because I'm the one who knows where it's going. There's a sort of logic there, but it just isn't practical, because I have no idea how to fix a car.
It seems to me that CFOs, like business unit managers, are an excellent source of intelligence about the relative value of data, but they usually aren't much of a hand in securing it. So while a CFO would be a great part of any enterprise security team, I just can't see them taking over the whole initiative.
What do you think? What role do you see the CFO playing in the rapidly-evolving world of data security? We'd like to hear your feedback. If you have some input, please post your thoughts to the message board attached to this story.
Maybe I'm the one who's been smoking the wrong stuff.
Tim Wilson, Site Editor, Dark Reading