Attacks/Breaches
4/14/2014
12:00 PM
Eric Cole
Eric Cole
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

CIO Vs. CSO: Allies Or Enemies?

In the wake of the Target breach it's clear that the CIO and CSO must have clear boundaries of responsibility and equal representation in the board room.

Whenever a breach occurs it reveals weaknesses in how an organization approached security. In the case of the Target breach, the ongoing trickle of new details coming out is a gift that keeps on giving. One of the most interesting reveals was the fact that all security responsibilities at Target were buried under the CIO and that the company did not even have a CSO.

Not surprisingly, when Target CIO and executive VP of technology services Beth Jacob resigned last month, the first question that many people asked was whether CIO Jacob should be held responsible, since running the IT infrastructure (typically a role of the CIO) and protecting the information (typically a role of the CSO) involve different responsibilities that can be complementary but are often at odds. 

First and foremost, organizations of any size (especially one the size of Target) need to have an executive who is solely in charge of security.  With the large interdependence organizations have on a digital infrastructure, security needs to have a seat at the table in the boardroom.  If security gets buried under IT -- whose primary responsibility is running a reliable infrastructure -- bad decisions will be made and breaches will happen. 

Not having a CSO today is like a football team not having a quarterback. You can have the best playbook in the world, but if you do not have someone on the field calling the plays, you are not going to win many games. In order for organizations to be successful, they must have both a reliable infrastructure and proper protection of information. If an organization has only a CIO and no CSO, no one is focusing on security, and bad things will happen. Lack of a CSO means lack of security. 

It’s most likely that Target had a security team that was screaming and yelling about all of the security issues. But they had no advocate who was listening to them and fighting their cause in the C-suite.  Engineers need to have a line of communication to the CEO -- and the CSO is that channel. Without a CSO, the critical security information does not make it to the executive levels.  It’s my guess (and hope) that if Target executives had received the proper information about security they would have made different decisions, and this story would have had a happier ending.

Equal representation
The CIO and CSO need to be peers and have equal representation in the board room. Typically the CIO will report to the COO, and the CSO will report to CFO. The COO and CFO directly report to the CEO. But whatever the organizational  framework, the CIO and CSO must have different reporting structures. And, in order for the CIO and CSO to have an effective working relationship, they must have clear boundaries of responsibility. 

Typically what works best is for the CSO to define the proper level of security, the CIO to implement the security, and the auditor to validate that the security is being done correctly. The security defined by the CSO should be based on metrics that demonstrate an organization’s acceptable level of risk, offer clear guidelines on what must be done, and provide an easy way to measure compliance.

As more breaches become public, it should become easier to convince executives that they need a CSO. The real problem is that many CIOs do not want to have a CSO, because it is easier for them to perform their jobs if they control all aspects of the IT infrastructure. These internal politics create a situation in which the CIO will not usually lobby for a CSO. So there needs to be another advocate who can ask the CEO, “Are you comfortable with the level of security at your organization, and are you receiving the proper security metrics to make the decisions?” 

The situation today in many cases is that CEOs want to create a position of a CSO, but the CIO convinces them they do not need one. While they have good intentions, it is often the CIO that lobbies against a CSO, since a CSO will cause them to give up control and potentially make their job more difficult. My prediction is that in five years, most organizations will have a CSO that directly reports to the executive team. 

What is the relationship between the CIO and CSO in your company? Are they allies or enemies? Let’s chat about the security issues this dynamic creates in the comments. 

Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/14/2014 | 9:58:02 AM
Re: CIO/ CSO = equal partners: -how prevalent?
Perhaps you can do a poll? Just like you, I am sure a lot of readers are curious to know how prevalent this is.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/11/2014 | 10:15:41 AM
Re: CIO/ CSO = equal partners: -how prevalent?
Curious to know from the Dark Reading communitiy how prevalent it is for CIOs and CSOs in your companies to be equal partners and have independent reporting structures to upper management. 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/11/2014 | 9:52:31 AM
Re: Bake it in at the start
It is true that the CIO could potentially be impartial, but it is hardly likely for the reason you outlined in your comment.. The counter argument would look like this: OK, so YOU may be impartial, but what about your successor? If an organization is really serious about security, then they really should establish the security organization as an entity that is independent of IT. The checks and balances only work if the parties are independent and not one subordinate to another.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Moderator
4/10/2014 | 6:51:19 PM
Bake it in at the start
If a CIO put someone in charge of security, then listened to both development/operations teams and the security team, he or she might be able to make good decisions. But there is a prejudice in favor of giving the business what it wants, whdether the security for it is ready or not. Ideally, teams within IT would bake security into new development at an early stage. The CIO could insist on it. The CSO can mainly point out that it wasn't, afterward.
GonzSTL
100%
0%
GonzSTL,
User Rank: Ninja
4/10/2014 | 1:56:48 PM
CIO Vs. CSO: Allies Or Enemies?
If only this message was delivered to every CEO or head of any organization, we can breathe just a little bit easier. I have talked to CIOs who are also in charge of security, and none of them believe in the criticality of that  separation. Call it a false sense of impartiality or whatever, but in their minds, they believe they can properly break the tie between IT and security in a way that best benefits the organization. My take is that those decisions are best made by someone above IT and Security, and not someone who is both IT and Security. That someone is the person who has overall responsibility for the organization.
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.