Operations
8/22/2014
12:00 PM
Marilyn Cohodas
Marilyn Cohodas
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Flash Poll: CSOs Need A New Boss

Only one out of four respondents to our flash poll think the CSO should report to the CIO.

Whom should the Chief Security Officer of a company or organization report to? Not the CIO, say members of the Dark Reading community, according to results of our latest poll.

Our poll, Security Org Chart, explored the changing role of the CSO in today’s modern enterprise, where the job of protecting data and defending information systems from attack has become a separate but equal responsibility, apart from the traditional IT infrastructure.

We asked members: To whom should the top security officer should report? More than 75 percent of roughly 1,800 respondents placed security outside the traditional domain of the CIO, reporting, instead, directly to the chief executive (47 percent) or others with C-level titles in charge of risk or compliance (12 percent), legal (5 percent) or finance (4 percent). Only 23 percent of community members who took our poll endorsed the hierarchy of CSO reporting up to the CIO.

Who Should the CSO Report To?

The results should come as no surprise. In today’s threat landscape, the emerging view seems to be that there is an inherent conflict between managing enterprise IT systems that increase productivity and profits (CIO) and protecting sensitive corporate data and customer personal identifiable information (CSO).

"The CIO is trying to implement the best technology that is secure enough and will be cost effective," said Rick Howard, chief security officer for Palo Alto Networks in a Dark Reading Radio show this past July. "The CSO sees danger in every dark corner."

Howard and his counterpart at Palo Alto Networks, CIO Robert Quinn, were guests for a radio interview and live text chat about the evolution of the CSO. The two said they are on separate lines of authority to the C-suite at Palo Alto. And when there is a dispute it’s up to the CEO to break the tie. But that's an organizational structure that is probably more the exception than the rule, especially for less security-focused smaller businesses.

“It's been my experience that when both roles roll up to the same head, then an impartial decision potentially suffers. The CIO is pressured to deliver technology, and the CISO is pressured to ensure that the technology is deployed securely," community member GonzSTL observed in the online chat following the broadcast. In his present company, for example, where the security manager reports to the CIO, GonzSTL says he has “already seen the conflict,” the result of which was that a critical security position was reclassified to an IT role.

Communicating risk
Even more challenging for CSOs than personnel is how to effectively talk about risk to their bosses, irrespective of the reporting structure. It’s one thing to quantify the cost of an attack after the fact, but how do you justify the ROI of advanced security technologies that prevent or reduce the impact of a breach before they occur -- if they ever do? "In the past in the tech ranks, we’ve done a pretty bad job at assessing and communicating risk to the C-suite,” even Bannon conceded in the radio broadcast.

The good news is that CEOs are starting to wake up to the seriousness of the problem and the complexities of the solutions -- albeit slowly. (See CEO Report Card: Low Grades for Risk Management.)

"It definitely depends on the situation," says Quinn, "but I think generally there is a huge increase in CEO awareness around security. They answer to the board, and it's very interesting how board governance is focusing a lot more on security risks. The notion of Security/Risk Sub-committees is only starting, but I think it may be an indicator of change."

What indicators of change are you seeing in your company? Let's chat about them in the comments.

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
8/26/2014 | 8:49:20 PM
Re: Both Sides
Interesting. I would have thought it would be the CEO more concerned with uptime and the CIO leaning more towards dealing with security concerns. 

BP
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/26/2014 | 7:31:27 AM
Re: Both Sides
Tweet from  ‏@j_j_thompson  Aug 22

.@DarkReading most cso's are not rick... And have no standing to report to the CEO

Thoughts anyone on the qualifications of the typical CSO to report directly into the chief exec?

aws0513
50%
50%
aws0513,
User Rank: Moderator
8/25/2014 | 9:54:56 AM
Re: Both Sides
I agree with Robert McDougal completely in regards to the CISO reporting to the CIO.

When working with organizations that do not subcribe to that organizational structure, I commonly will use the warehouse and security guard analogy.

If the warehouse manager is also the manager for the security guards for a warehouse, the warehouse manager can, if you think about it, order the security guard to ignore a weakness in the security practices of the warehouse.  One could say that all the guard has to do is ask for it in writing, but then the manager can deny any involvement and make life miserable for the guard from that point on.  Especially if the guard has no alternate recourse for reporting concerns. 

It is always important to understand that security operations should not feel threatened from within.  This is important for gates, guns, and guards as well as IT security.

In my current employment role, I am functioning as a security officer within the IT group.  My role is as technical advisor, analyst, and liason with the CIO and the CISO for all IT security issues where the IT group is involved.  The CISO (with CEO support and delegation) determines and defines the security policies and standards, the CIO maintains the IT operations capabilities of the organization, and I make sure the IT operations are congruent with the security policies that have been published.  For me this is a very effective team effort where there are very few tie breaker moments between the CIO and the CISO.  When there are tie breaker moments, they always seem to come down to shortfalls in resources that the CEO can usually help resolve relatively efficiently.

Admittedly, I work with a CIO that "gets it" regarding IT security, so my work life is likely much simpler, and much more enjoyable, than others.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
8/25/2014 | 8:45:21 AM
Both Sides
I have worked in organizations in which the CSO reported to the CEO as well as organizations which they reported to the CIO. 

I have to say that the far better reporting structure is when the CSO falls under the CEO.  The reason is simple but maybe not so obvious, the CIO is mostly concerned with operations.  To be clear, the CIO usually does worry about security but for the most part they are concerned with keeping the lights on.  When a decision comes down to security or uptime, the CIO is much more likely to side with uptime.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2021
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

CVE-2014-3604
Published: 2014-10-24
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2014-6230
Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

CVE-2014-6251
Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

CVE-2014-7180
Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.