Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

8/22/2014
12:00 PM
Marilyn Cohodas
Marilyn Cohodas
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Flash Poll: CSOs Need A New Boss

Only one out of four respondents to our flash poll think the CSO should report to the CIO.

Whom should the Chief Security Officer of a company or organization report to? Not the CIO, say members of the Dark Reading community, according to results of our latest poll.

Our poll, Security Org Chart, explored the changing role of the CSO in today’s modern enterprise, where the job of protecting data and defending information systems from attack has become a separate but equal responsibility, apart from the traditional IT infrastructure.

We asked members: To whom should the top security officer should report? More than 75 percent of roughly 1,800 respondents placed security outside the traditional domain of the CIO, reporting, instead, directly to the chief executive (47 percent) or others with C-level titles in charge of risk or compliance (12 percent), legal (5 percent) or finance (4 percent). Only 23 percent of community members who took our poll endorsed the hierarchy of CSO reporting up to the CIO.

Who Should the CSO Report To?

The results should come as no surprise. In today’s threat landscape, the emerging view seems to be that there is an inherent conflict between managing enterprise IT systems that increase productivity and profits (CIO) and protecting sensitive corporate data and customer personal identifiable information (CSO).

"The CIO is trying to implement the best technology that is secure enough and will be cost effective," said Rick Howard, chief security officer for Palo Alto Networks in a Dark Reading Radio show this past July. "The CSO sees danger in every dark corner."

Howard and his counterpart at Palo Alto Networks, CIO Robert Quinn, were guests for a radio interview and live text chat about the evolution of the CSO. The two said they are on separate lines of authority to the C-suite at Palo Alto. And when there is a dispute it’s up to the CEO to break the tie. But that's an organizational structure that is probably more the exception than the rule, especially for less security-focused smaller businesses.

“It's been my experience that when both roles roll up to the same head, then an impartial decision potentially suffers. The CIO is pressured to deliver technology, and the CISO is pressured to ensure that the technology is deployed securely," community member GonzSTL observed in the online chat following the broadcast. In his present company, for example, where the security manager reports to the CIO, GonzSTL says he has “already seen the conflict,” the result of which was that a critical security position was reclassified to an IT role.

Communicating risk
Even more challenging for CSOs than personnel is how to effectively talk about risk to their bosses, irrespective of the reporting structure. It’s one thing to quantify the cost of an attack after the fact, but how do you justify the ROI of advanced security technologies that prevent or reduce the impact of a breach before they occur -- if they ever do? "In the past in the tech ranks, we’ve done a pretty bad job at assessing and communicating risk to the C-suite,” even Bannon conceded in the radio broadcast.

The good news is that CEOs are starting to wake up to the seriousness of the problem and the complexities of the solutions -- albeit slowly. (See CEO Report Card: Low Grades for Risk Management.)

"It definitely depends on the situation," says Quinn, "but I think generally there is a huge increase in CEO awareness around security. They answer to the board, and it's very interesting how board governance is focusing a lot more on security risks. The notion of Security/Risk Sub-committees is only starting, but I think it may be an indicator of change."

What indicators of change are you seeing in your company? Let's chat about them in the comments.

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
8/26/2014 | 8:49:20 PM
Re: Both Sides
Interesting. I would have thought it would be the CEO more concerned with uptime and the CIO leaning more towards dealing with security concerns. 

BP
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/26/2014 | 7:31:27 AM
Re: Both Sides
Tweet from  ‏@j_j_thompson  Aug 22

.@DarkReading most cso's are not rick... And have no standing to report to the CEO

Thoughts anyone on the qualifications of the typical CSO to report directly into the chief exec?

aws0513
50%
50%
aws0513,
User Rank: Ninja
8/25/2014 | 9:54:56 AM
Re: Both Sides
I agree with Robert McDougal completely in regards to the CISO reporting to the CIO.

When working with organizations that do not subcribe to that organizational structure, I commonly will use the warehouse and security guard analogy.

If the warehouse manager is also the manager for the security guards for a warehouse, the warehouse manager can, if you think about it, order the security guard to ignore a weakness in the security practices of the warehouse.  One could say that all the guard has to do is ask for it in writing, but then the manager can deny any involvement and make life miserable for the guard from that point on.  Especially if the guard has no alternate recourse for reporting concerns. 

It is always important to understand that security operations should not feel threatened from within.  This is important for gates, guns, and guards as well as IT security.

In my current employment role, I am functioning as a security officer within the IT group.  My role is as technical advisor, analyst, and liason with the CIO and the CISO for all IT security issues where the IT group is involved.  The CISO (with CEO support and delegation) determines and defines the security policies and standards, the CIO maintains the IT operations capabilities of the organization, and I make sure the IT operations are congruent with the security policies that have been published.  For me this is a very effective team effort where there are very few tie breaker moments between the CIO and the CISO.  When there are tie breaker moments, they always seem to come down to shortfalls in resources that the CEO can usually help resolve relatively efficiently.

Admittedly, I work with a CIO that "gets it" regarding IT security, so my work life is likely much simpler, and much more enjoyable, than others.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
8/25/2014 | 8:45:21 AM
Both Sides
I have worked in organizations in which the CSO reported to the CEO as well as organizations which they reported to the CIO. 

I have to say that the far better reporting structure is when the CSO falls under the CEO.  The reason is simple but maybe not so obvious, the CIO is mostly concerned with operations.  To be clear, the CIO usually does worry about security but for the most part they are concerned with keeping the lights on.  When a decision comes down to security or uptime, the CIO is much more likely to side with uptime.
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "SpearPhish! Everyone out of the office!"
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13584
PUBLISHED: 2019-07-17
The remote admin webserver on FANUC Robotics Virtual Robot Controller 8.23 allows Directory Traversal via a forged HTTP request.
CVE-2019-13585
PUBLISHED: 2019-07-17
The remote admin webserver on FANUC Robotics Virtual Robot Controller 8.23 has a Buffer Overflow via a forged HTTP request.
CVE-2019-13631
PUBLISHED: 2019-07-17
In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the Linux kernel through 5.2.1, a malicious USB device can send an HID report that triggers an out-of-bounds write during generation of debugging messages.
CVE-2019-13614
PUBLISHED: 2019-07-17
CMD_SET_CONFIG_COUNTRY in the TP-Link Device Debug protocol in TP-Link Archer C1200 1.0.0 Build 20180502 rel.45702 and earlier is prone to a stack-based buffer overflow, which allows a remote attacker to achieve code execution or denial of service by sending a crafted payload to the listening server...
CVE-2019-10100
PUBLISHED: 2019-07-17
tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab.