12:00 PM
Eric Cole
Eric Cole
Connect Directly

CIO Vs. CSO: Allies Or Enemies?

In the wake of the Target breach it's clear that the CIO and CSO must have clear boundaries of responsibility and equal representation in the board room.

Whenever a breach occurs it reveals weaknesses in how an organization approached security. In the case of the Target breach, the ongoing trickle of new details coming out is a gift that keeps on giving. One of the most interesting reveals was the fact that all security responsibilities at Target were buried under the CIO and that the company did not even have a CSO.

Not surprisingly, when Target CIO and executive VP of technology services Beth Jacob resigned last month, the first question that many people asked was whether CIO Jacob should be held responsible, since running the IT infrastructure (typically a role of the CIO) and protecting the information (typically a role of the CSO) involve different responsibilities that can be complementary but are often at odds. 

First and foremost, organizations of any size (especially one the size of Target) need to have an executive who is solely in charge of security.  With the large interdependence organizations have on a digital infrastructure, security needs to have a seat at the table in the boardroom.  If security gets buried under IT -- whose primary responsibility is running a reliable infrastructure -- bad decisions will be made and breaches will happen. 

Not having a CSO today is like a football team not having a quarterback. You can have the best playbook in the world, but if you do not have someone on the field calling the plays, you are not going to win many games. In order for organizations to be successful, they must have both a reliable infrastructure and proper protection of information. If an organization has only a CIO and no CSO, no one is focusing on security, and bad things will happen. Lack of a CSO means lack of security. 

It’s most likely that Target had a security team that was screaming and yelling about all of the security issues. But they had no advocate who was listening to them and fighting their cause in the C-suite.  Engineers need to have a line of communication to the CEO -- and the CSO is that channel. Without a CSO, the critical security information does not make it to the executive levels.  It’s my guess (and hope) that if Target executives had received the proper information about security they would have made different decisions, and this story would have had a happier ending.

Equal representation
The CIO and CSO need to be peers and have equal representation in the board room. Typically the CIO will report to the COO, and the CSO will report to CFO. The COO and CFO directly report to the CEO. But whatever the organizational  framework, the CIO and CSO must have different reporting structures. And, in order for the CIO and CSO to have an effective working relationship, they must have clear boundaries of responsibility. 

Typically what works best is for the CSO to define the proper level of security, the CIO to implement the security, and the auditor to validate that the security is being done correctly. The security defined by the CSO should be based on metrics that demonstrate an organization’s acceptable level of risk, offer clear guidelines on what must be done, and provide an easy way to measure compliance.

As more breaches become public, it should become easier to convince executives that they need a CSO. The real problem is that many CIOs do not want to have a CSO, because it is easier for them to perform their jobs if they control all aspects of the IT infrastructure. These internal politics create a situation in which the CIO will not usually lobby for a CSO. So there needs to be another advocate who can ask the CEO, “Are you comfortable with the level of security at your organization, and are you receiving the proper security metrics to make the decisions?” 

The situation today in many cases is that CEOs want to create a position of a CSO, but the CIO convinces them they do not need one. While they have good intentions, it is often the CIO that lobbies against a CSO, since a CSO will cause them to give up control and potentially make their job more difficult. My prediction is that in five years, most organizations will have a CSO that directly reports to the executive team. 

What is the relationship between the CIO and CSO in your company? Are they allies or enemies? Let’s chat about the security issues this dynamic creates in the comments. 

Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Ninja
4/14/2014 | 9:58:02 AM
Re: CIO/ CSO = equal partners: -how prevalent?
Perhaps you can do a poll? Just like you, I am sure a lot of readers are curious to know how prevalent this is.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/11/2014 | 10:15:41 AM
Re: CIO/ CSO = equal partners: -how prevalent?
Curious to know from the Dark Reading communitiy how prevalent it is for CIOs and CSOs in your companies to be equal partners and have independent reporting structures to upper management. 
User Rank: Ninja
4/11/2014 | 9:52:31 AM
Re: Bake it in at the start
It is true that the CIO could potentially be impartial, but it is hardly likely for the reason you outlined in your comment.. The counter argument would look like this: OK, so YOU may be impartial, but what about your successor? If an organization is really serious about security, then they really should establish the security organization as an entity that is independent of IT. The checks and balances only work if the parties are independent and not one subordinate to another.
Charlie Babcock
Charlie Babcock,
User Rank: Ninja
4/10/2014 | 6:51:19 PM
Bake it in at the start
If a CIO put someone in charge of security, then listened to both development/operations teams and the security team, he or she might be able to make good decisions. But there is a prejudice in favor of giving the business what it wants, whdether the security for it is ready or not. Ideally, teams within IT would bake security into new development at an early stage. The CIO could insist on it. The CSO can mainly point out that it wasn't, afterward.
User Rank: Ninja
4/10/2014 | 1:56:48 PM
CIO Vs. CSO: Allies Or Enemies?
If only this message was delivered to every CEO or head of any organization, we can breathe just a little bit easier. I have talked to CIOs who are also in charge of security, and none of them believe in the criticality of that  separation. Call it a false sense of impartiality or whatever, but in their minds, they believe they can properly break the tie between IT and security in a way that best benefits the organization. My take is that those decisions are best made by someone above IT and Security, and not someone who is both IT and Security. That someone is the person who has overall responsibility for the organization.
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.