January 6, 2017 By Scott Koegler 3 min read

The chief information officer (CIO) may be in charge of the data, but who is responsible for enabling security? Where is the dividing line between the responsibilities of the CIO and those of the chief security officer (CSO)? Should there even be a dividing line?

We posed these questions and more to Bil Harmer, a strategist working in the office of the chief information security officer (CISO) at Zscaler, a cloud-based information security company, and came away with his experienced take on the security org chart issue.

Shuffling the Security Org Chart

Where does the line blur between the CIO’s responsibilities and those of the CSO? With both CIO and CSO aiming at the front line of the business, it may be difficult to pinpoint which officer is ultimately responsible. While the CIO holds the top-line position, it’s the CSO’s job to be more intimately familiar with threats and prevention strategies. Some separation of responsibilities may be necessary, but that can put a strain on reporting structures.

“While it may be the CIO’s responsibility to enact the requirements needed to achieve a secure environment, the CSO is ultimately responsible for enabling security,” Harmer said. “CSOs must understand the requirements laid out by the CIO and are responsible for providing the most effective, easily integrated and cost-effective security solutions. Separation of CIO and CSO responsibility is fundamental and should be implemented by default.”

Traditionally, the CIO sits at the top of the organization, and the CSO reports to the CIO or chief financial officer (CFO). “This is flawed and a direct conflict of interest,” Harmer explained, “as it is the responsibility of the CSO to ensure the CIO implements the technical and organizational measures needed to confirm security of the environment.”

The conflict Harmer described is real and not easy to overcome. Both the CIO and CSO need to guide enterprise strategies with security as a top priority. They must also make decisions about how to split resources between business initiatives and security, which can make for contentious budget struggles.

Alternative Scenarios

Are there any other options? Harmer offered one alternative scenario in which the CSO reports directly to the CFO, who is obligated to provide other services to the organization along the same lines, such as financial auditing. The most effective reporting structure, however, in which the CSO reports to the chief revenue officer (CRO), is enabled by cloud-based delivery models, he said.

“The CRO’s obligation to customers and users through the contract and renewal process gives the CSO objectivity to review the CIO’s operations from a customer’s perspective with no internal weight on the decision, such as the CSO’s bonus, career path or performance review,” Harmer explained. “This requires an equal and strong partnership with the CSO and CIO as peers.”

The CRO position is evolving and doesn’t exist at all companies. For this reason, it’s difficult to identify the CRO as an established, top-line role that should assume responsibility and issue guidance for security. The scenario in which CSOs report to CROs may be a future trend, but it sidesteps more well-established reporting structures that include the CIO, chief executive officer (CEO) and CFO.

Heads in the Cloud

It makes sense to move security management to cloud providers, especially for small or midsize companies that lack the full set of resources to assure total enterprise security. As provider validation becomes more reliable, it may be feasible to move the CSO’s responsibility to a lower tier of management that requires a less detailed understanding of daily security issues.

“Cloud vendors must ensure processes and operational transparency, allowing customers to feel like they are an integral part of the organization,” Harmer said. “Customers must also be able to ‘trust but verify’ with cloud solutions, allowing them to clearly see if the expectations of the relationship have been met.”

In this scenario, reporting structure may be a less important decision. The reporting lines of today are more likely to be defined by how the organization sees its existing and future structure, as well as the individual strength of its current C-level executives.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today