Who is responsible for security? Why me?
Most business, government, or nonprofit organizations have an IT department. Large organizations have a person or a department devoted to information security. Recently, many organizations have created a Chief Security Officer (CSO) executive position. These internal security people tend to be one of two types. Some of them want to handle all of the security issues themselves. This may result in a comfort level from having a central expert who handles these decisions for you, or it may cause intense anguish because someone who seems unconnected to real business needs is making business decisions.
Security professionals who demand the definition of requirements as the first step in information security populate the second category of CSO. These demands are intimately tied to the business and the people who operate the business. They can be challenging to business people with little understanding of computers or security. Whether you like it or not, these people have the right idea.
Only the smallest groups and federal defense organizations can have a security policy set by a central person or organization without consultation with the business managers. The CSO who tries to dictate security policy to a modern, complex organization inevitably fails. The policy becomes ineffective through active subversion by the peers of the CSO or by passive noncompliance by midlevel management and the employees.
Why is this inevitable? An executive with good intentions trying to protect the computer systems so as to improve confidentiality, integrity, and availability surely ought to be able to work with the rest of the company to everyone's mutual benefit. Security people working in harmony with the rest of the company are critical to success.