InfoSec Owning Email Security & Compliance in the Modern Enterprise

A Costly Oversight: The High Price of Ignoring Operational InfoSec

James Mercer, the CFO of a mid-sized financial services firm, had a morning routine—coffee, news, and emails. But one fateful Monday, his inbox contained an urgent message from the CEO instructing him to wire $1.2 million to a new international account. It seemed legitimate—except it wasn’t. Within minutes of processing the transaction, the company’s security team flagged it as suspicious, but by then, the money was gone.

An investigation revealed that Mercer’s email had been compromised weeks earlier. A threat actor, undetected by the company’s Infrastructure Team, had monitored email activity, learned communication patterns, and executed a convincing Business Email Compromise (BEC) attack. Had the InfoSec Team been in control of email security, employing advanced threat protection, monitoring anomalies, and enforcing rigorous compliance measures, this breach could have been prevented.

This real-world example underscores the necessity of an operational InfoSec model in which InfoSec owns and manages email security, compliance, and risk. Without a structured and proactive approach, organizations leave themselves vulnerable to costly and reputation-damaging attacks.

Operational InfoSec: Owning Email Security & Compliance in the Modern Enterprise

In today’s enterprise landscape, email security is no longer just about ensuring messages are sent and received. With the ever-evolving cyber threat landscape, email systems have become a battleground for phishing attacks, business email compromise (BEC), data loss prevention (DLP), and regulatory compliance. As such, it is imperative that InfoSec is not merely a stakeholder but the primary owner of the security, compliance, and risk management aspects of corporate email.

This article presents an operational InfoSec approach where InfoSec teams actively own and manage the tools that enforce security policies, while Infrastructure teams support availability and operational stability.

1. Email Flow & Administration

Responsible Team: Infrastructure Description: Infrastructure ensures that email systems operate efficiently by configuring and maintaining mail servers, managing routing rules, and resolving delivery issues. The Infrastructure Team implements and maintains services such as Microsoft Exchange Online, Microsoft 365, and Google Workspace. (Microsoft, 2024)

2. Compliance, Privacy, & Risk Management

Responsible Team: InfoSec Description: The InfoSec Team owns compliance-related tasks, ensuring adherence to GDPR, HIPAA, SOX, and other regulatory mandates. This includes implementing encryption, email retention policies, and audit controls to protect sensitive data. Infrastructure may provide technical support, but policy enforcement and compliance reporting fall under InfoSec. (GDPR Info, 2023; HIPAA Journal, 2023)

Anecdote: A healthcare company faced regulatory scrutiny when an unencrypted email containing PHI was sent to the wrong recipient. The incident led to a six-figure fine. A proactive InfoSec-led compliance initiative implementing automated encryption and outbound email scanning prevented further violations.

3. Email Security (ATP, DMARC, SPF, DKIM, Phishing Protections)

Responsible Team: InfoSec Description: InfoSec is responsible for configuring and managing security measures such as Advanced Threat Protection (ATP), DMARC, SPF, and DKIM to prevent email spoofing, phishing, and malware. Infrastructure assists in deployment, but ongoing monitoring and response rest with InfoSec. (Google, 2023; Microsoft, 2024)

4. Email Forensics & Incident Response

Responsible Team: InfoSec Description: When a security incident occurs, such as a phishing attack or a business email compromise (BEC), InfoSec conducts forensics, analyzing email headers, logs, and sender behaviors. Legal and compliance teams collaborate as needed. (CISA, 2023)

Anecdote: A financial institution lost millions due to a compromised executive email account. The attack went unnoticed for weeks because Infrastructure only monitored uptime, not anomalies. A shift to an InfoSec-led model with real-time monitoring and response mitigated future incidents.*

5. eDiscovery & Legal Hold

Responsible Team: InfoSec & Legal Description: When litigation or investigations arise, eDiscovery tools retrieve email content. Infrastructure ensures the tools function, but InfoSec manages access controls, search parameters, and compliance oversight. (ABA, 2023)

6. Data Loss Prevention (DLP) & Encryption

Responsible Team: InfoSec Description: InfoSec is responsible for enforcing email privacy policies by implementing DLP tools and encryption mechanisms. Automated scanning prevents sensitive data from leaving the organization, ensuring compliance and risk mitigation. (NIST, 2024)

7. Security Awareness Training & Phishing Simulations

Responsible Team: InfoSec Description: InfoSec conducts ongoing user education, phishing simulations, and training to improve resilience against email-based attacks. (SANS, 2024)

8. Monitoring & Logging for Security Threats

Responsible Team: InfoSec Description: Infrastructure ensures email logs are properly captured, but InfoSec actively monitors them for security threats, anomaly detection, and forensic investigations. (Splunk, 2023)

9. Third-Party Security Solutions (Email Gateways & Anti-Phishing)

Responsible Team: InfoSec Description: InfoSec owns security configurations and policies for third-party security solutions such as Proofpoint, Mimecast, and Barracuda. Infrastructure assists in setup, but InfoSec ensures alignment with security policies. (Proofpoint, 2023; Mimecast, 2023)

Relevant Mentions & Acknowledgements

Shoutout to key professionals and organizations in the InfoSec and cybersecurity space for their insights and contributions:

• People: Kevin Kutter Tony Bautts Cindy Heiner David Lam Kelley Ealy Min Kyriannis Duaine Styles Greg Biegen, CISM CDPSE Nick Vigier Yaron Levi Catherine Del Carlo Jeffery Piantek Andrew "Will" Bergstrom Kevin Harvey Estee (Robinson) Preciado Steven Levenkron Marcos Flores Sara Knox Tommer Butman Ben Hicks Erik Hart Ben Dimick Jose Lemus Justin E. Cook Thomas Moran Nick Kiedrowski Julie Feeley Michael J. Barry, MBA, PCM® Chris Kapcar

• Organizations: Tevora 3 Tree Tech SHI International Corp. CDW GuidePoint Security HALOCK Security Labs Barracuda

Disclaimer: The opinions and conclusions presented in this article do not necessarily reflect the official position of the author's current or past employers. Any advice or recommendations are based on the author’s experience, education, and best judgment and should be carefully evaluated before implementation.