12:00 PM
Eric Cole
Eric Cole
Connect Directly

CIO Vs. CSO: Allies Or Enemies?

In the wake of the Target breach it's clear that the CIO and CSO must have clear boundaries of responsibility and equal representation in the board room.

Whenever a breach occurs it reveals weaknesses in how an organization approached security. In the case of the Target breach, the ongoing trickle of new details coming out is a gift that keeps on giving. One of the most interesting reveals was the fact that all security responsibilities at Target were buried under the CIO and that the company did not even have a CSO.

Not surprisingly, when Target CIO and executive VP of technology services Beth Jacob resigned last month, the first question that many people asked was whether CIO Jacob should be held responsible, since running the IT infrastructure (typically a role of the CIO) and protecting the information (typically a role of the CSO) involve different responsibilities that can be complementary but are often at odds. 

First and foremost, organizations of any size (especially one the size of Target) need to have an executive who is solely in charge of security.  With the large interdependence organizations have on a digital infrastructure, security needs to have a seat at the table in the boardroom.  If security gets buried under IT -- whose primary responsibility is running a reliable infrastructure -- bad decisions will be made and breaches will happen. 

Not having a CSO today is like a football team not having a quarterback. You can have the best playbook in the world, but if you do not have someone on the field calling the plays, you are not going to win many games. In order for organizations to be successful, they must have both a reliable infrastructure and proper protection of information. If an organization has only a CIO and no CSO, no one is focusing on security, and bad things will happen. Lack of a CSO means lack of security. 

It’s most likely that Target had a security team that was screaming and yelling about all of the security issues. But they had no advocate who was listening to them and fighting their cause in the C-suite.  Engineers need to have a line of communication to the CEO -- and the CSO is that channel. Without a CSO, the critical security information does not make it to the executive levels.  It’s my guess (and hope) that if Target executives had received the proper information about security they would have made different decisions, and this story would have had a happier ending.

Equal representation
The CIO and CSO need to be peers and have equal representation in the board room. Typically the CIO will report to the COO, and the CSO will report to CFO. The COO and CFO directly report to the CEO. But whatever the organizational  framework, the CIO and CSO must have different reporting structures. And, in order for the CIO and CSO to have an effective working relationship, they must have clear boundaries of responsibility. 

Typically what works best is for the CSO to define the proper level of security, the CIO to implement the security, and the auditor to validate that the security is being done correctly. The security defined by the CSO should be based on metrics that demonstrate an organization’s acceptable level of risk, offer clear guidelines on what must be done, and provide an easy way to measure compliance.

As more breaches become public, it should become easier to convince executives that they need a CSO. The real problem is that many CIOs do not want to have a CSO, because it is easier for them to perform their jobs if they control all aspects of the IT infrastructure. These internal politics create a situation in which the CIO will not usually lobby for a CSO. So there needs to be another advocate who can ask the CEO, “Are you comfortable with the level of security at your organization, and are you receiving the proper security metrics to make the decisions?” 

The situation today in many cases is that CEOs want to create a position of a CSO, but the CIO convinces them they do not need one. While they have good intentions, it is often the CIO that lobbies against a CSO, since a CSO will cause them to give up control and potentially make their job more difficult. My prediction is that in five years, most organizations will have a CSO that directly reports to the executive team. 

What is the relationship between the CIO and CSO in your company? Are they allies or enemies? Let’s chat about the security issues this dynamic creates in the comments. 

Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Ninja
4/14/2014 | 9:58:02 AM
Re: CIO/ CSO = equal partners: -how prevalent?
Perhaps you can do a poll? Just like you, I am sure a lot of readers are curious to know how prevalent this is.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/11/2014 | 10:15:41 AM
Re: CIO/ CSO = equal partners: -how prevalent?
Curious to know from the Dark Reading communitiy how prevalent it is for CIOs and CSOs in your companies to be equal partners and have independent reporting structures to upper management. 
User Rank: Ninja
4/11/2014 | 9:52:31 AM
Re: Bake it in at the start
It is true that the CIO could potentially be impartial, but it is hardly likely for the reason you outlined in your comment.. The counter argument would look like this: OK, so YOU may be impartial, but what about your successor? If an organization is really serious about security, then they really should establish the security organization as an entity that is independent of IT. The checks and balances only work if the parties are independent and not one subordinate to another.
Charlie Babcock
Charlie Babcock,
User Rank: Ninja
4/10/2014 | 6:51:19 PM
Bake it in at the start
If a CIO put someone in charge of security, then listened to both development/operations teams and the security team, he or she might be able to make good decisions. But there is a prejudice in favor of giving the business what it wants, whdether the security for it is ready or not. Ideally, teams within IT would bake security into new development at an early stage. The CIO could insist on it. The CSO can mainly point out that it wasn't, afterward.
User Rank: Ninja
4/10/2014 | 1:56:48 PM
CIO Vs. CSO: Allies Or Enemies?
If only this message was delivered to every CEO or head of any organization, we can breathe just a little bit easier. I have talked to CIOs who are also in charge of security, and none of them believe in the criticality of that  separation. Call it a false sense of impartiality or whatever, but in their minds, they believe they can properly break the tie between IT and security in a way that best benefits the organization. My take is that those decisions are best made by someone above IT and Security, and not someone who is both IT and Security. That someone is the person who has overall responsibility for the organization.
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.