The chief information officer (CIO) may be in charge of the data, but who is responsible for enabling security? Where is the dividing line between the responsibilities of the CIO and those of the chief security officer (CSO)? Should there even be a dividing line?

We posed these questions and more to Bil Harmer, a strategist working in the office of the chief information security officer (CISO) at Zscaler, a cloud-based information security company, and came away with his experienced take on the security org chart issue.

Shuffling the Security Org Chart

Where does the line blur between the CIO’s responsibilities and those of the CSO? With both CIO and CSO aiming at the front line of the business, it may be difficult to pinpoint which officer is ultimately responsible. While the CIO holds the top-line position, it’s the CSO’s job to be more intimately familiar with threats and prevention strategies. Some separation of responsibilities may be necessary, but that can put a strain on reporting structures.

“While it may be the CIO’s responsibility to enact the requirements needed to achieve a secure environment, the CSO is ultimately responsible for enabling security,” Harmer said. “CSOs must understand the requirements laid out by the CIO and are responsible for providing the most effective, easily integrated and cost-effective security solutions. Separation of CIO and CSO responsibility is fundamental and should be implemented by default.”

Traditionally, the CIO sits at the top of the organization, and the CSO reports to the CIO or chief financial officer (CFO). “This is flawed and a direct conflict of interest,” Harmer explained, “as it is the responsibility of the CSO to ensure the CIO implements the technical and organizational measures needed to confirm security of the environment.”

The conflict Harmer described is real and not easy to overcome. Both the CIO and CSO need to guide enterprise strategies with security as a top priority. They must also make decisions about how to split resources between business initiatives and security, which can make for contentious budget struggles.

Alternative Scenarios

Are there any other options? Harmer offered one alternative scenario in which the CSO reports directly to the CFO, who is obligated to provide other services to the organization along the same lines, such as financial auditing. The most effective reporting structure, however, in which the CSO reports to the chief revenue officer (CRO), is enabled by cloud-based delivery models, he said.

“The CRO’s obligation to customers and users through the contract and renewal process gives the CSO objectivity to review the CIO’s operations from a customer’s perspective with no internal weight on the decision, such as the CSO’s bonus, career path or performance review,” Harmer explained. “This requires an equal and strong partnership with the CSO and CIO as peers.”

The CRO position is evolving and doesn’t exist at all companies. For this reason, it’s difficult to identify the CRO as an established, top-line role that should assume responsibility and issue guidance for security. The scenario in which CSOs report to CROs may be a future trend, but it sidesteps more well-established reporting structures that include the CIO, chief executive officer (CEO) and CFO.

Heads in the Cloud

It makes sense to move security management to cloud providers, especially for small or midsize companies that lack the full set of resources to assure total enterprise security. As provider validation becomes more reliable, it may be feasible to move the CSO’s responsibility to a lower tier of management that requires a less detailed understanding of daily security issues.

“Cloud vendors must ensure processes and operational transparency, allowing customers to feel like they are an integral part of the organization,” Harmer said. “Customers must also be able to ‘trust but verify’ with cloud solutions, allowing them to clearly see if the expectations of the relationship have been met.”

In this scenario, reporting structure may be a less important decision. The reporting lines of today are more likely to be defined by how the organization sees its existing and future structure, as well as the individual strength of its current C-level executives.

More from CISO

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…