12:00 PM
Eric Cole
Eric Cole
Connect Directly

CIO Vs. CSO: Allies Or Enemies?

In the wake of the Target breach it's clear that the CIO and CSO must have clear boundaries of responsibility and equal representation in the board room.

Whenever a breach occurs it reveals weaknesses in how an organization approached security. In the case of the Target breach, the ongoing trickle of new details coming out is a gift that keeps on giving. One of the most interesting reveals was the fact that all security responsibilities at Target were buried under the CIO and that the company did not even have a CSO.

Not surprisingly, when Target CIO and executive VP of technology services Beth Jacob resigned last month, the first question that many people asked was whether CIO Jacob should be held responsible, since running the IT infrastructure (typically a role of the CIO) and protecting the information (typically a role of the CSO) involve different responsibilities that can be complementary but are often at odds. 

First and foremost, organizations of any size (especially one the size of Target) need to have an executive who is solely in charge of security.  With the large interdependence organizations have on a digital infrastructure, security needs to have a seat at the table in the boardroom.  If security gets buried under IT -- whose primary responsibility is running a reliable infrastructure -- bad decisions will be made and breaches will happen. 

Not having a CSO today is like a football team not having a quarterback. You can have the best playbook in the world, but if you do not have someone on the field calling the plays, you are not going to win many games. In order for organizations to be successful, they must have both a reliable infrastructure and proper protection of information. If an organization has only a CIO and no CSO, no one is focusing on security, and bad things will happen. Lack of a CSO means lack of security. 

It’s most likely that Target had a security team that was screaming and yelling about all of the security issues. But they had no advocate who was listening to them and fighting their cause in the C-suite.  Engineers need to have a line of communication to the CEO -- and the CSO is that channel. Without a CSO, the critical security information does not make it to the executive levels.  It’s my guess (and hope) that if Target executives had received the proper information about security they would have made different decisions, and this story would have had a happier ending.

Equal representation
The CIO and CSO need to be peers and have equal representation in the board room. Typically the CIO will report to the COO, and the CSO will report to CFO. The COO and CFO directly report to the CEO. But whatever the organizational  framework, the CIO and CSO must have different reporting structures. And, in order for the CIO and CSO to have an effective working relationship, they must have clear boundaries of responsibility. 

Typically what works best is for the CSO to define the proper level of security, the CIO to implement the security, and the auditor to validate that the security is being done correctly. The security defined by the CSO should be based on metrics that demonstrate an organization’s acceptable level of risk, offer clear guidelines on what must be done, and provide an easy way to measure compliance.

As more breaches become public, it should become easier to convince executives that they need a CSO. The real problem is that many CIOs do not want to have a CSO, because it is easier for them to perform their jobs if they control all aspects of the IT infrastructure. These internal politics create a situation in which the CIO will not usually lobby for a CSO. So there needs to be another advocate who can ask the CEO, “Are you comfortable with the level of security at your organization, and are you receiving the proper security metrics to make the decisions?” 

The situation today in many cases is that CEOs want to create a position of a CSO, but the CIO convinces them they do not need one. While they have good intentions, it is often the CIO that lobbies against a CSO, since a CSO will cause them to give up control and potentially make their job more difficult. My prediction is that in five years, most organizations will have a CSO that directly reports to the executive team. 

What is the relationship between the CIO and CSO in your company? Are they allies or enemies? Let’s chat about the security issues this dynamic creates in the comments. 

Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Ninja
4/14/2014 | 9:58:02 AM
Re: CIO/ CSO = equal partners: -how prevalent?
Perhaps you can do a poll? Just like you, I am sure a lot of readers are curious to know how prevalent this is.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/11/2014 | 10:15:41 AM
Re: CIO/ CSO = equal partners: -how prevalent?
Curious to know from the Dark Reading communitiy how prevalent it is for CIOs and CSOs in your companies to be equal partners and have independent reporting structures to upper management. 
User Rank: Ninja
4/11/2014 | 9:52:31 AM
Re: Bake it in at the start
It is true that the CIO could potentially be impartial, but it is hardly likely for the reason you outlined in your comment.. The counter argument would look like this: OK, so YOU may be impartial, but what about your successor? If an organization is really serious about security, then they really should establish the security organization as an entity that is independent of IT. The checks and balances only work if the parties are independent and not one subordinate to another.
Charlie Babcock
Charlie Babcock,
User Rank: Moderator
4/10/2014 | 6:51:19 PM
Bake it in at the start
If a CIO put someone in charge of security, then listened to both development/operations teams and the security team, he or she might be able to make good decisions. But there is a prejudice in favor of giving the business what it wants, whdether the security for it is ready or not. Ideally, teams within IT would bake security into new development at an early stage. The CIO could insist on it. The CSO can mainly point out that it wasn't, afterward.
User Rank: Ninja
4/10/2014 | 1:56:48 PM
CIO Vs. CSO: Allies Or Enemies?
If only this message was delivered to every CEO or head of any organization, we can breathe just a little bit easier. I have talked to CIOs who are also in charge of security, and none of them believe in the criticality of that  separation. Call it a false sense of impartiality or whatever, but in their minds, they believe they can properly break the tie between IT and security in a way that best benefits the organization. My take is that those decisions are best made by someone above IT and Security, and not someone who is both IT and Security. That someone is the person who has overall responsibility for the organization.
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-01-28
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."

Published: 2015-01-28
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not properly restrict access to the upload functionality, which allows remote attackers to write to arbitrary files.

Published: 2015-01-28
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host other than

Published: 2015-01-28
Unspecified vulnerability in vsftp 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.

Published: 2015-01-27
Stack-based buffer overflow in the Attachmate Reflection FTP Client before 14.1.433 allows remote FTP servers to execute arbitrary code via a large PWD response.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If youíre a security professional, youíve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.