Attacks/Breaches
4/14/2014
12:00 PM
Eric Cole
Eric Cole
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

CIO Vs. CSO: Allies Or Enemies?

In the wake of the Target breach it's clear that the CIO and CSO must have clear boundaries of responsibility and equal representation in the board room.

Whenever a breach occurs it reveals weaknesses in how an organization approached security. In the case of the Target breach, the ongoing trickle of new details coming out is a gift that keeps on giving. One of the most interesting reveals was the fact that all security responsibilities at Target were buried under the CIO and that the company did not even have a CSO.

Not surprisingly, when Target CIO and executive VP of technology services Beth Jacob resigned last month, the first question that many people asked was whether CIO Jacob should be held responsible, since running the IT infrastructure (typically a role of the CIO) and protecting the information (typically a role of the CSO) involve different responsibilities that can be complementary but are often at odds. 

First and foremost, organizations of any size (especially one the size of Target) need to have an executive who is solely in charge of security.  With the large interdependence organizations have on a digital infrastructure, security needs to have a seat at the table in the boardroom.  If security gets buried under IT -- whose primary responsibility is running a reliable infrastructure -- bad decisions will be made and breaches will happen. 

Not having a CSO today is like a football team not having a quarterback. You can have the best playbook in the world, but if you do not have someone on the field calling the plays, you are not going to win many games. In order for organizations to be successful, they must have both a reliable infrastructure and proper protection of information. If an organization has only a CIO and no CSO, no one is focusing on security, and bad things will happen. Lack of a CSO means lack of security. 

It’s most likely that Target had a security team that was screaming and yelling about all of the security issues. But they had no advocate who was listening to them and fighting their cause in the C-suite.  Engineers need to have a line of communication to the CEO -- and the CSO is that channel. Without a CSO, the critical security information does not make it to the executive levels.  It’s my guess (and hope) that if Target executives had received the proper information about security they would have made different decisions, and this story would have had a happier ending.

Equal representation
The CIO and CSO need to be peers and have equal representation in the board room. Typically the CIO will report to the COO, and the CSO will report to CFO. The COO and CFO directly report to the CEO. But whatever the organizational  framework, the CIO and CSO must have different reporting structures. And, in order for the CIO and CSO to have an effective working relationship, they must have clear boundaries of responsibility. 

Typically what works best is for the CSO to define the proper level of security, the CIO to implement the security, and the auditor to validate that the security is being done correctly. The security defined by the CSO should be based on metrics that demonstrate an organization’s acceptable level of risk, offer clear guidelines on what must be done, and provide an easy way to measure compliance.

As more breaches become public, it should become easier to convince executives that they need a CSO. The real problem is that many CIOs do not want to have a CSO, because it is easier for them to perform their jobs if they control all aspects of the IT infrastructure. These internal politics create a situation in which the CIO will not usually lobby for a CSO. So there needs to be another advocate who can ask the CEO, “Are you comfortable with the level of security at your organization, and are you receiving the proper security metrics to make the decisions?” 

The situation today in many cases is that CEOs want to create a position of a CSO, but the CIO convinces them they do not need one. While they have good intentions, it is often the CIO that lobbies against a CSO, since a CSO will cause them to give up control and potentially make their job more difficult. My prediction is that in five years, most organizations will have a CSO that directly reports to the executive team. 

What is the relationship between the CIO and CSO in your company? Are they allies or enemies? Let’s chat about the security issues this dynamic creates in the comments. 

Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/22/2014 | 3:41:46 PM
Re: A Partnership Mentality
Communication is a critical skill for both CIOs and CSOs in dealing with top executives . But no less important, as Eric rightly points out in his blog, is for the CIO and CSO to talk to each other.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/22/2014 | 2:25:31 PM
Re: A Partnership Mentality
100% agree. I think that a major obstacle in Information Security is the inability of the security professional to communicate effectively. Managing upwards can be a daunting task in itself, and it isn't easy to draft messages that are fit for executive consumption when it comes to IS topics. Let's face it - security managers are usually techs that have made the transition into management, and have had little training or experience in effective business communications.
eric7095
50%
50%
eric7095,
User Rank: Author
4/22/2014 | 2:11:15 PM
Re: A Partnership Mentality
Bottom line is there needs to be someone in the organization that understands security, can translate between technical and business language, and clearly articulate metric based risks to the executives.  The job function is more important than the title.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/22/2014 | 2:02:21 PM
Re: A Partnership Mentality
IT and IS are related but also separate areas of focus. I believe we are past the critical juncture where IT and IS diverge. It is just a matter of time before the remaining organizations adapt to this reality. Unfortunately, the bad guys are well funded and have time on their side, while the good guys are seriously underfunded and find themselves in reactionary instead of proactive mode.
eric7095
50%
50%
eric7095,
User Rank: Author
4/21/2014 | 5:21:03 PM
Re: A Partnership Mentality
The real question is whether IT and IS are related or separate areas of focus?  Many years ago when organizations first started using computers, IT was burried under business operations.  Over the years it has become so important that IT become a separate area with an executive focused solely on that area.  Are we not at the point with security, where it is so important that it deserves it own focus area with an executive in charge of it?  Many of the previous breaches will show us that putting security under IT does not work. 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/14/2014 | 3:53:30 PM
Re: A Partnership Mentality
Yes, believe me, I get all that, but if you were to stand up a security organization from scratch, would you place it under IT or somewhere else? Eventually, IT needs and security will butt heads, and when that happens, who or what breaks the tie? I would like to think that the tie breaker is whatever serves the company best, but if the tie breaker comes from someone who represents IT needs, how can you guarantee that it was a decision based on proper analysis and not one driven by an IT need? Furthermore, it may be true that the decision maker is unbiased, but what about that person's successor after the person leaves?
archangelnikk
50%
50%
archangelnikk,
User Rank: Apprentice
4/14/2014 | 3:32:19 PM
Re: A Partnership Mentality

Reporting relationships are important, however it's far more complex than just that. Looking at the maturity of the security program, the type of organization, and the relationships outside of IT that can be leveraged (The Board, legal, enterprise risk, compliance, and internal audit). Understanding corporate culture and how to manage through influence. You also have to look at the scope of what information security represents within the company. Is it just operational security, is it risk, perhaps its physical or maybe all... There is by no means a one size fits all mentality, however the complexity is more than just who reports to whom.

GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/14/2014 | 2:52:51 PM
Re: A Partnership Mentality
That a partnership mentality has to exist is a given; the issue is what happens when security reports to IT. There potentially isn't much of a partnership when one is subordinate to another, either in perception or reality.
archangelnikk
50%
50%
archangelnikk,
User Rank: Apprentice
4/14/2014 | 2:29:51 PM
A Partnership Mentality
Having been both a CISO and CIO numerous times, a partnership mentality on both sides of the fence is the only way to successfully support the customers and enable the business to mitigate enterprise risk.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/14/2014 | 10:03:50 AM
Re: CIO/ CSO = equal partners: -how prevalent?
Good suggestion, GonzSTL. Stay tuned....
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4725
Published: 2014-07-27
The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/.

CVE-2014-4726
Published: 2014-07-27
Unspecified vulnerability in the MailPoet Newsletters (wysija-newsletters) plugin before 2.6.8 for WordPress has unspecified impact and attack vectors.

CVE-2014-2363
Published: 2014-07-26
Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

CVE-2014-2625
Published: 2014-07-26
Directory traversal vulnerability in the storedNtxFile function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to read arbitrary files via crafted input, aka ZDI-CAN-2023.

CVE-2014-2626
Published: 2014-07-26
Directory traversal vulnerability in the toServerObject function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to create files, and consequently execute arbitrary code, via crafted input, aka ZDI-CAN-2024.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.