Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

8/22/2014
12:00 PM
Marilyn Cohodas
Marilyn Cohodas
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Flash Poll: CSOs Need A New Boss

Only one out of four respondents to our flash poll think the CSO should report to the CIO.

Whom should the Chief Security Officer of a company or organization report to? Not the CIO, say members of the Dark Reading community, according to results of our latest poll.

Our poll, Security Org Chart, explored the changing role of the CSO in today’s modern enterprise, where the job of protecting data and defending information systems from attack has become a separate but equal responsibility, apart from the traditional IT infrastructure.

We asked members: To whom should the top security officer should report? More than 75 percent of roughly 1,800 respondents placed security outside the traditional domain of the CIO, reporting, instead, directly to the chief executive (47 percent) or others with C-level titles in charge of risk or compliance (12 percent), legal (5 percent) or finance (4 percent). Only 23 percent of community members who took our poll endorsed the hierarchy of CSO reporting up to the CIO.

Who Should the CSO Report To?

The results should come as no surprise. In today’s threat landscape, the emerging view seems to be that there is an inherent conflict between managing enterprise IT systems that increase productivity and profits (CIO) and protecting sensitive corporate data and customer personal identifiable information (CSO).

"The CIO is trying to implement the best technology that is secure enough and will be cost effective," said Rick Howard, chief security officer for Palo Alto Networks in a Dark Reading Radio show this past July. "The CSO sees danger in every dark corner."

Howard and his counterpart at Palo Alto Networks, CIO Robert Quinn, were guests for a radio interview and live text chat about the evolution of the CSO. The two said they are on separate lines of authority to the C-suite at Palo Alto. And when there is a dispute it’s up to the CEO to break the tie. But that's an organizational structure that is probably more the exception than the rule, especially for less security-focused smaller businesses.

“It's been my experience that when both roles roll up to the same head, then an impartial decision potentially suffers. The CIO is pressured to deliver technology, and the CISO is pressured to ensure that the technology is deployed securely," community member GonzSTL observed in the online chat following the broadcast. In his present company, for example, where the security manager reports to the CIO, GonzSTL says he has “already seen the conflict,” the result of which was that a critical security position was reclassified to an IT role.

Communicating risk
Even more challenging for CSOs than personnel is how to effectively talk about risk to their bosses, irrespective of the reporting structure. It’s one thing to quantify the cost of an attack after the fact, but how do you justify the ROI of advanced security technologies that prevent or reduce the impact of a breach before they occur -- if they ever do? "In the past in the tech ranks, we’ve done a pretty bad job at assessing and communicating risk to the C-suite,” even Bannon conceded in the radio broadcast.

The good news is that CEOs are starting to wake up to the seriousness of the problem and the complexities of the solutions -- albeit slowly. (See CEO Report Card: Low Grades for Risk Management.)

"It definitely depends on the situation," says Quinn, "but I think generally there is a huge increase in CEO awareness around security. They answer to the board, and it's very interesting how board governance is focusing a lot more on security risks. The notion of Security/Risk Sub-committees is only starting, but I think it may be an indicator of change."

What indicators of change are you seeing in your company? Let's chat about them in the comments.

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
8/26/2014 | 8:49:20 PM
Re: Both Sides
Interesting. I would have thought it would be the CEO more concerned with uptime and the CIO leaning more towards dealing with security concerns. 

BP
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/26/2014 | 7:31:27 AM
Re: Both Sides
Tweet from  ‏@j_j_thompson  Aug 22

.@DarkReading most cso's are not rick... And have no standing to report to the CEO

Thoughts anyone on the qualifications of the typical CSO to report directly into the chief exec?

aws0513
50%
50%
aws0513,
User Rank: Ninja
8/25/2014 | 9:54:56 AM
Re: Both Sides
I agree with Robert McDougal completely in regards to the CISO reporting to the CIO.

When working with organizations that do not subcribe to that organizational structure, I commonly will use the warehouse and security guard analogy.

If the warehouse manager is also the manager for the security guards for a warehouse, the warehouse manager can, if you think about it, order the security guard to ignore a weakness in the security practices of the warehouse.  One could say that all the guard has to do is ask for it in writing, but then the manager can deny any involvement and make life miserable for the guard from that point on.  Especially if the guard has no alternate recourse for reporting concerns. 

It is always important to understand that security operations should not feel threatened from within.  This is important for gates, guns, and guards as well as IT security.

In my current employment role, I am functioning as a security officer within the IT group.  My role is as technical advisor, analyst, and liason with the CIO and the CISO for all IT security issues where the IT group is involved.  The CISO (with CEO support and delegation) determines and defines the security policies and standards, the CIO maintains the IT operations capabilities of the organization, and I make sure the IT operations are congruent with the security policies that have been published.  For me this is a very effective team effort where there are very few tie breaker moments between the CIO and the CISO.  When there are tie breaker moments, they always seem to come down to shortfalls in resources that the CEO can usually help resolve relatively efficiently.

Admittedly, I work with a CIO that "gets it" regarding IT security, so my work life is likely much simpler, and much more enjoyable, than others.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
8/25/2014 | 8:45:21 AM
Both Sides
I have worked in organizations in which the CSO reported to the CEO as well as organizations which they reported to the CIO. 

I have to say that the far better reporting structure is when the CSO falls under the CEO.  The reason is simple but maybe not so obvious, the CIO is mostly concerned with operations.  To be clear, the CIO usually does worry about security but for the most part they are concerned with keeping the lights on.  When a decision comes down to security or uptime, the CIO is much more likely to side with uptime.
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18575
PUBLISHED: 2019-12-06
Dell Command Configure versions prior to 4.2.1 contain an uncontrolled search path vulnerability. A locally authenticated malicious user could exploit this vulnerability by creating a symlink to a target file, allowing the attacker to overwrite or corrupt a specified file on the system.
CVE-2019-11293
PUBLISHED: 2019-12-06
Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs client_secret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters.
CVE-2019-16771
PUBLISHED: 2019-12-06
Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97....
CVE-2019-1551
PUBLISHED: 2019-12-06
There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are n...
CVE-2019-16671
PUBLISHED: 2019-12-06
An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. Remote authenticated users can crash a device with a special packet because of Uncontrolled Resource Consumption.