Can there be a single absolute answer to the question of where security should sit within an organization? Take the following as a perfect example of how opinions can sway.

First, you have the argument from an expert on security and networking that VMware is not in the security or networking business.

VMware is not a security or networking company and ignoring the fact that big companies with decades of security and networking products are not simply going to fade away is silly.

He seems to say that security is not just going to move away from where it has been established.

Second, you have an expert tweeting the “biggest change” is that security will move away from security organizations.

Want an example of the biggest change in security that is making the most impact? Moving security away from security orgs. See virt/cloud

This could be an interesting debate if only it were not the same person saying both things.

The answer to the question of where security fits for virtualization is really that it depends. I see security run from many different organizations and there has never been a single best-fit for everyone. Some companies I work with have never moved security to a security organization and probably never will.

Those who chose to create a dedicated security group cited things like the complexity of work as well as the need for operational and investigative independence. Complexity can be a lesser concern through the initial phases of emerging technology (fewer capabilities, fewer products for virtualization control) but conflict-of-interest and independence always remain a factor.