January 6, 2017 By Scott Koegler 3 min read

The chief information officer (CIO) may be in charge of the data, but who is responsible for enabling security? Where is the dividing line between the responsibilities of the CIO and those of the chief security officer (CSO)? Should there even be a dividing line?

We posed these questions and more to Bil Harmer, a strategist working in the office of the chief information security officer (CISO) at Zscaler, a cloud-based information security company, and came away with his experienced take on the security org chart issue.

Shuffling the Security Org Chart

Where does the line blur between the CIO’s responsibilities and those of the CSO? With both CIO and CSO aiming at the front line of the business, it may be difficult to pinpoint which officer is ultimately responsible. While the CIO holds the top-line position, it’s the CSO’s job to be more intimately familiar with threats and prevention strategies. Some separation of responsibilities may be necessary, but that can put a strain on reporting structures.

“While it may be the CIO’s responsibility to enact the requirements needed to achieve a secure environment, the CSO is ultimately responsible for enabling security,” Harmer said. “CSOs must understand the requirements laid out by the CIO and are responsible for providing the most effective, easily integrated and cost-effective security solutions. Separation of CIO and CSO responsibility is fundamental and should be implemented by default.”

Traditionally, the CIO sits at the top of the organization, and the CSO reports to the CIO or chief financial officer (CFO). “This is flawed and a direct conflict of interest,” Harmer explained, “as it is the responsibility of the CSO to ensure the CIO implements the technical and organizational measures needed to confirm security of the environment.”

The conflict Harmer described is real and not easy to overcome. Both the CIO and CSO need to guide enterprise strategies with security as a top priority. They must also make decisions about how to split resources between business initiatives and security, which can make for contentious budget struggles.

Alternative Scenarios

Are there any other options? Harmer offered one alternative scenario in which the CSO reports directly to the CFO, who is obligated to provide other services to the organization along the same lines, such as financial auditing. The most effective reporting structure, however, in which the CSO reports to the chief revenue officer (CRO), is enabled by cloud-based delivery models, he said.

“The CRO’s obligation to customers and users through the contract and renewal process gives the CSO objectivity to review the CIO’s operations from a customer’s perspective with no internal weight on the decision, such as the CSO’s bonus, career path or performance review,” Harmer explained. “This requires an equal and strong partnership with the CSO and CIO as peers.”

The CRO position is evolving and doesn’t exist at all companies. For this reason, it’s difficult to identify the CRO as an established, top-line role that should assume responsibility and issue guidance for security. The scenario in which CSOs report to CROs may be a future trend, but it sidesteps more well-established reporting structures that include the CIO, chief executive officer (CEO) and CFO.

Heads in the Cloud

It makes sense to move security management to cloud providers, especially for small or midsize companies that lack the full set of resources to assure total enterprise security. As provider validation becomes more reliable, it may be feasible to move the CSO’s responsibility to a lower tier of management that requires a less detailed understanding of daily security issues.

“Cloud vendors must ensure processes and operational transparency, allowing customers to feel like they are an integral part of the organization,” Harmer said. “Customers must also be able to ‘trust but verify’ with cloud solutions, allowing them to clearly see if the expectations of the relationship have been met.”

In this scenario, reporting structure may be a less important decision. The reporting lines of today are more likely to be defined by how the organization sees its existing and future structure, as well as the individual strength of its current C-level executives.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today