The Office 365 Ownership Dilemma
Who owns security and compliance within your organization? In my personal experience, this responsibility typically rests within IT — where it often sits neglected and, unfortunately, uncompliant. The issue is not so much about where the responsibility lands within your org chart, but in ensuring that someone is responsible. That is Office 365’s ownership dilemma.
Looking across all security and compliance requirements, there is rarely one role or a single group or program that addresses all of these functions. The executive role of Chief Security Officer is uncommon for most enterprises – and non-existent within smaller companies. Instead, IT teams are tasked with ownership of the technology platforms and physical security operations, with compliance managed through operations, which can sometimes mean the Support team or a formal Project Management Organization (PMO). Without clear ownership and leadership from the top-down, security and compliance are not adequately monitored and managed.
In a 2019 CollabTalk survey on this topic, one respondent summarized:
“This needs to change. No longer can IT have ownership of Security and Compliance since this is more than just a technical challenge.”
As shown in the figure below, when asked where ownership of security and compliance should rest, our survey respondents fit within industry norms, pointing toward IT departments as the proper ownership location. Surprisingly, executives were identified as the second highest response, which may indicate a slow but steady wave of change as organizations begin to understand the importance of these topics to the company’s bottom-line.
Office Apps & Services MVP Antonio Maio (@AntonioMaio2) points out one of the repercussions of relying too much on IT to manage legal and compliance issues:
“This reflects what we see in industry, where IT tends to own security and compliance. However, security and compliance should be owned by a Chief Information Security Officer (CISO), Compliance Team or Legal Team, so that corporate security initiatives have appropriate executive level sponsorship. In cases where IT owns security and compliance, we often see that IT has a hard time starting or carrying conversations with legal and compliance teams in order to get that executive level buy in.”
One of the biggest areas of concern for organizations that surfaced consistently within individual interviews we conducted, but was not reflected within the surveys (not included as a possible answer): whether Microsoft will be compliant, or can help them become compliant, to these standards. Respondents wanted to better understand what more Microsoft could do to help manage their security and compliance issues.
One response to this comment is with moving to the cloud itself. Microsoft is able to move much more quickly than individual companies to ensure that rapidly changing laws and standards are being met by the Office 365 platform. Additionally, they are better able to adapt and change to the ever-changing threats that are intentional or unintentional, rolling out updates and improvements to customers as quickly as necessary, providing real-time protection of their data and systems. This is one of the primary benefits of the cloud model – reducing the work and cost of proactive security of your data and intellectual property.