Flash Poll: CSOs Need A New BossOnly one out of four respondents to our flash poll think the CSO should report to the CIO.
Whom should the Chief Security Officer of a company or organization report to? Not the CIO, say members of the Dark Reading community, according to results of our latest poll.
Our poll, Security Org Chart, explored the changing role of the CSO in today’s modern enterprise, where the job of protecting data and defending information systems from attack has become a separate but equal responsibility, apart from the traditional IT infrastructure.
We asked members: To whom should the top security officer should report? More than 75 percent of roughly 1,800 respondents placed security outside the traditional domain of the CIO, reporting, instead, directly to the chief executive (47 percent) or others with C-level titles in charge of risk or compliance (12 percent), legal (5 percent) or finance (4 percent). Only 23 percent of community members who took our poll endorsed the hierarchy of CSO reporting up to the CIO.
Who Should the CSO Report To?
The results should come as no surprise. In today’s threat landscape, the emerging view seems to be that there is an inherent conflict between managing enterprise IT systems that increase productivity and profits (CIO) and protecting sensitive corporate data and customer personal identifiable information (CSO).
"The CIO is trying to implement the best technology that is secure enough and will be cost effective," said Rick Howard, chief security officer for Palo Alto Networks in a Dark Reading Radio show this past July. "The CSO sees danger in every dark corner."
Howard and his counterpart at Palo Alto Networks, CIO Robert Quinn, were guests for a radio interview and live text chat about the evolution of the CSO. The two said they are on separate lines of authority to the C-suite at Palo Alto. And when there is a dispute it’s up to the CEO to break the tie. But that's an organizational structure that is probably more the exception than the rule, especially for less security-focused smaller businesses.
“It's been my experience that when both roles roll up to the same head, then an impartial decision potentially suffers. The CIO is pressured to deliver technology, and the CISO is pressured to ensure that the technology is deployed securely," community member GonzSTL observed in the online chat following the broadcast. In his present company, for example, where the security manager reports to the CIO, GonzSTL says he has “already seen the conflict,” the result of which was that a critical security position was reclassified to an IT role.
Even more challenging for CSOs than personnel is how to effectively talk about risk to their bosses, irrespective of the reporting structure. It’s one thing to quantify the cost of an attack after the fact, but how do you justify the ROI of advanced security technologies that prevent or reduce the impact of a breach before they occur -- if they ever do? "In the past in the tech ranks, we’ve done a pretty bad job at assessing and communicating risk to the C-suite,” even Bannon conceded in the radio broadcast.
The good news is that CEOs are starting to wake up to the seriousness of the problem and the complexities of the solutions -- albeit slowly. (See CEO Report Card: Low Grades for Risk Management.)
"It definitely depends on the situation," says Quinn, "but I think generally there is a huge increase in CEO awareness around security. They answer to the board, and it's very interesting how board governance is focusing a lot more on security risks. The notion of Security/Risk Sub-committees is only starting, but I think it may be an indicator of change."
What indicators of change are you seeing in your company? Let's chat about them in the comments.
Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio