Whenever a breach occurs it reveals weaknesses in how an organization approached security. In the case of the Target breach, the ongoing trickle of new details coming out is a gift that keeps on giving. One of the most interesting reveals was the fact that all security responsibilities at Target were buried under the CIO and that the company did not even have a CSO.
Not surprisingly, when Target CIO and executive VP of technology services Beth Jacob resigned last month, the first question that many people asked was whether CIO Jacob should be held responsible, since running the IT infrastructure (typically a role of the CIO) and protecting the information (typically a role of the CSO) involve different responsibilities that can be complementary but are often at odds.
First and foremost, organizations of any size (especially one the size of Target) need to have an executive who is solely in charge of security. With the large interdependence organizations have on a digital infrastructure, security needs to have a seat at the table in the boardroom. If security gets buried under IT -- whose primary responsibility is running a reliable infrastructure -- bad decisions will be made and breaches will happen.
Not having a CSO today is like a football team not having a quarterback. You can have the best playbook in the world, but if you do not have someone on the field calling the plays, you are not going to win many games. In order for organizations to be successful, they must have both a reliable infrastructure and proper protection of information. If an organization has only a CIO and no CSO, no one is focusing on security, and bad things will happen. Lack of a CSO means lack of security.
It’s most likely that Target had a security team that was screaming and yelling about all of the security issues. But they had no advocate who was listening to them and fighting their cause in the C-suite. Engineers need to have a line of communication to the CEO -- and the CSO is that channel. Without a CSO, the critical security information does not make it to the executive levels. It’s my guess (and hope) that if Target executives had received the proper information about security they would have made different decisions, and this story would have had a happier ending.
The CIO and CSO need to be peers and have equal representation in the board room. Typically the CIO will report to the COO, and the CSO will report to CFO. The COO and CFO directly report to the CEO. But whatever the organizational framework, the CIO and CSO must have different reporting structures. And, in order for the CIO and CSO to have an effective working relationship, they must have clear boundaries of responsibility.
Typically what works best is for the CSO to define the proper level of security, the CIO to implement the security, and the auditor to validate that the security is being done correctly. The security defined by the CSO should be based on metrics that demonstrate an organization’s acceptable level of risk, offer clear guidelines on what must be done, and provide an easy way to measure compliance.
As more breaches become public, it should become easier to convince executives that they need a CSO. The real problem is that many CIOs do not want to have a CSO, because it is easier for them to perform their jobs if they control all aspects of the IT infrastructure. These internal politics create a situation in which the CIO will not usually lobby for a CSO. So there needs to be another advocate who can ask the CEO, “Are you comfortable with the level of security at your organization, and are you receiving the proper security metrics to make the decisions?”
The situation today in many cases is that CEOs want to create a position of a CSO, but the CIO convinces them they do not need one. While they have good intentions, it is often the CIO that lobbies against a CSO, since a CSO will cause them to give up control and potentially make their job more difficult. My prediction is that in five years, most organizations will have a CSO that directly reports to the executive team.
What is the relationship between the CIO and CSO in your company? Are they allies or enemies? Let’s chat about the security issues this dynamic creates in the comments.