Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Flash Poll: CSOs Need A New Boss
Newest First  |  Oldest First  |  Threaded View
Bprince
Bprince,
User Rank: Ninja
8/26/2014 | 8:49:20 PM
Re: Both Sides
Interesting. I would have thought it would be the CEO more concerned with uptime and the CIO leaning more towards dealing with security concerns. 

BP
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
8/26/2014 | 7:31:27 AM
Re: Both Sides
Tweet from  ‏@j_j_thompson  Aug 22

.@DarkReading most cso's are not rick... And have no standing to report to the CEO

Thoughts anyone on the qualifications of the typical CSO to report directly into the chief exec?

aws0513
aws0513,
User Rank: Ninja
8/25/2014 | 9:54:56 AM
Re: Both Sides
I agree with Robert McDougal completely in regards to the CISO reporting to the CIO.

When working with organizations that do not subcribe to that organizational structure, I commonly will use the warehouse and security guard analogy.

If the warehouse manager is also the manager for the security guards for a warehouse, the warehouse manager can, if you think about it, order the security guard to ignore a weakness in the security practices of the warehouse.  One could say that all the guard has to do is ask for it in writing, but then the manager can deny any involvement and make life miserable for the guard from that point on.  Especially if the guard has no alternate recourse for reporting concerns. 

It is always important to understand that security operations should not feel threatened from within.  This is important for gates, guns, and guards as well as IT security.

In my current employment role, I am functioning as a security officer within the IT group.  My role is as technical advisor, analyst, and liason with the CIO and the CISO for all IT security issues where the IT group is involved.  The CISO (with CEO support and delegation) determines and defines the security policies and standards, the CIO maintains the IT operations capabilities of the organization, and I make sure the IT operations are congruent with the security policies that have been published.  For me this is a very effective team effort where there are very few tie breaker moments between the CIO and the CISO.  When there are tie breaker moments, they always seem to come down to shortfalls in resources that the CEO can usually help resolve relatively efficiently.

Admittedly, I work with a CIO that "gets it" regarding IT security, so my work life is likely much simpler, and much more enjoyable, than others.
Robert McDougal
Robert McDougal,
User Rank: Ninja
8/25/2014 | 8:45:21 AM
Both Sides
I have worked in organizations in which the CSO reported to the CEO as well as organizations which they reported to the CIO. 

I have to say that the far better reporting structure is when the CSO falls under the CEO.  The reason is simple but maybe not so obvious, the CIO is mostly concerned with operations.  To be clear, the CIO usually does worry about security but for the most part they are concerned with keeping the lights on.  When a decision comes down to security or uptime, the CIO is much more likely to side with uptime.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-38193
PUBLISHED: 2022-08-16
There is a code injection vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass strings which could potentially cause arbitrary code execution in a victims browser.
CVE-2022-38194
PUBLISHED: 2022-08-16
In Esri Portal for ArcGIS versions 10.8.1, a system property is not properly encrypted. This may lead to a local user reading sensitive information from a properties file.
CVE-2022-38192
PUBLISHED: 2022-08-16
A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS may allow a remote, authenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the userâ€â&b...
CVE-2022-38362
PUBLISHED: 2022-08-16
Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host.
CVE-2022-30264
PUBLISHED: 2022-08-16
The Emerson ROC and FloBoss RTU product lines through 2022-05-02 perform insecure filesystem operations. They utilize the ROC protocol (4000/TCP, 5000/TCP) for communications between a master terminal and RTUs. Opcode 203 of this protocol allows a master terminal to transfer files to and from the fl...