CIO vs CSO: Allies or Enemies

Whenever a breach occurs it reveals weaknesses in how an organization approached security.  Compromises are a great way to reveal the hidden sins organizations are committing.  In the case of the Target breach, it is a gift that keeps on giving.  While the initial breach report came out in December, it seems every week there are new “interesting” details that are revealed.  One of the more recent items is the fact that Target did not have a CSO and all security responsibilities were buried under the CIO.

The first question that people ask is whether the CIO should have been held responsible for the breach.  The bottom line is when a major event like this occurs; someone needs to be held responsible for the negligence.  Therefore it is not surprising that someone was blamed for the breach.  What was surprising is that security was a responsibility of the CIO.  The fact that a large organization did not have a separate CSO that is a peer with the CIO, is what is most concerning about the story.  Clearly many things went wrong during the breach and whoever had the responsibility of security needs to be held accountable.  However, it was not fair that the executives structured the company in this manner.  Running the IT infrastructure (typically a role of the CIO) and protecting the information (typically a role of the CSO) are two different roles and it is unfair to have one person expected to do both effectively.  These roles while at times can be complementary, they are often at odds.  Having security buried under the CIO, puts that person in a conflict of interest situation.

First and foremost, organizations of any size, especially one the size of Target needs to have an executive that is responsible for security.  With the large interdependence organizations have on a digital infrastructure, security needs to have a seat at the table in the boardroom.  If security gets buried under IT, whose primary responsibility is running a reliable infrastructure, bad decisions will be made and breaches will happen. 

Not having a CSO today is like a football team not having a quarterback.  You can have the best playbook in the world, but if you do not have someone on the field calling the plays, you are not going to win many games.  In order for organizations to be successful, they must have a reliable infrastructure and proper protection of information.  If an organization only has a CIO and no CSO, no one is focusing in on security and the results are pretty obvious.  If there is no one focusing in on security, bad things will happen.  Lack of a CSO, means lack of security.  It is almost a guarantee that Target had an amazing security team and they were screaming and yelling about all of the security issues, but there was no advocate who was listening to them and fighting their cause with the executives.  From the engineers, their needs to be a communication path to the CEO and the CSO is that channel.  Without a CSO, the proper security communication does not make it to the executives.  Therefore if the executives received the proper information about security, my guess is they would have made different decisions and this story would potentially have a happy ending.

The CIO and CSO need to be peers.  IT and security need to have equal representation in the board room, making sure the executives have accurate information.  Typically the CIO will report to the COO and the CSO will report to CFO.  The COO and CFO directly report to the executive.  However an organization decides to structure it, the CIO and CSO must have a different reporting structure.

In order for the CIO and CSO’s to have an effective working relationship, they must have clear boundaries of responsibility.  Typically what works best is for the CSO to define the proper level of security, the CIO to implement the security and the auditor to validate that the security is being done correctly.  The security that is defined by the CSO should be based off of metrics that are used as a reporting structure to the executives, so they can understand the proper level of risk to accept for the organization.  Metrics based security is key to success.  With metrics there are clear guidelines of what must be done and an easy way to measure compliance.

Organizations in this day and age must have a CSO.  Every day that passes, with more breaches becoming public, it becomes easy to convince the executives that they need a CSO.  The problem is many CIO’s do not want to have a CSO, because it is easier for them to accomplish their jobs if they control all aspects of the IT infrastructure.  Therefore the CIO will not usually lobby for a CSO.  There needs to be another advocate convincing the CEO.  The simple question to sell the CEO is “are you comfortable with the level of security at your organization and are you receiving the proper security metrics to make the decisions?”  The problem today is many CEO’s want to create a position of a CSO, but the CIO convinces them they do not need one.  While they have good intentions, it is often the CIO that lobbies against a CSO, since a CSO will cause them to give up control and potentially make their job more difficult.  For example, when a CSO comes in they often disclose all of the security problems, which show that security was not being properly addressed within the organization.

  • Spread The Love
  • Digg This Post
  • Tweet This Post
  • Stumble This Post
  • Submit This Post To Delicious
  • Submit This Post To Reddit
  • Submit This Post To Mixx

11 Responses to “CIO vs CSO: Allies or Enemies”

  1. stephanie singleton says:
    This comment has been removed by the author.
  2. stephanie singleton says:

    Not just allies, but TRUSTED allies. If a CIO cant trust their foremost/leader/resident expert on IT Security matters, theyre already in a world of trouble. This shows 1) there isnt a clear, concise, AGREED UPON, view understanding of a network that they're both responsible for, 2) that there isnt any trust in the individual who is supposed to maintain the network, and 3) that communication flow is lacking (and thus major issues could indeed not be being relayed accurately between the CIO and CSO, thus security weakness/exposure).

  3. Srinath Kannan says:

    +1 to agree!! CIO role is operational and CSO role is reducing risks. It is critical for them to be peers as otherwise risk reduction will always take a back seat to uptime.

  4. kindablue says:
    This comment has been removed by the author.
  5. Shawn Kim says:

    Don't you guys think a coordinated approach can solve this complex problem? If at all, a single person is needed to be hold accountable, security aspect including the operational ones regarding security of an organization should be put under one head. Let me know what are your views.
    Shawn @ HomeSecurityList

  6. William Davis says:

    Wonerful blog by you sir,give data protection and securityto all your important data by using softex

  7. Unknown says:

    Hello!! I want to take a moment to introduce Spymate Co. If you ever need the service of a Private Investigator/Hacker. Spymate is a team of licensed professionals with years of experience specializing in Digital Forensics and Background Investigations.
    We have extensive experience in many areas, concentrating on the following:
    -Spouse or Partner Fidelity Check (Find Out If Your Husband, Wife, Boyfriend, Girlfriend Is Cheating)
    -Asset Search &Recovery
    -Electronic Data Recovery
    -Background Checks
    -Digital Forensics
    -Email Password Recovery/Hack
    -Cell Phone Data Recovery and Mobile Hack (Call Logs, Text Messages and Chat Messages)
    -Website/Database Hack
    -Access To Any Social Media Account; facebook, Twitter, Myspace, Instagram, Snapchat etc
    -Accessing University Portals for Examination Questions, Change of Grades and Personal Information Update
    -And Many More
    Remember if you ever ever need any of the above services, think Spymate!!!
    Spymate Co
    Website: www spymate co

  8. Help Adya says:

    Hey, that’s really a good post on pets for sale in Delhi, i really like your blog as the information is very useful if you are a pet lover. Well, there is one more site for the same service you should check it for more detail.

  9. Blogger says:

    There's SHOCKING news in the sports betting world.

    It's been said that every bettor needs to see this,

    Watch this now or quit betting on sports...

    Sports Cash System - Robotic Sports Betting Software.

  10. Smith says:

    Online Supports...

  11. Help Adya says:

    Hi found your blog content very strong I realized after reading Internet services in Delhi blog, really such useful information aboutInternet services in Delhi Demand for classifieds is increasing day by day with fast pace. I like the information on your blog there is another classified website for same services

Leave a Reply

Converted by Ritesh Sanap | Sponsored by Powered by Giant Themes