The chief information officer (CIO) may be in charge of the data, but who is responsible for enabling security? Where is the dividing line between the responsibilities of the CIO and those of the chief security officer (CSO)? Should there even be a dividing line?

We posed these questions and more to Bil Harmer, a strategist working in the office of the chief information security officer (CISO) at Zscaler, a cloud-based information security company, and came away with his experienced take on the security org chart issue.

Shuffling the Security Org Chart

Where does the line blur between the CIO’s responsibilities and those of the CSO? With both CIO and CSO aiming at the front line of the business, it may be difficult to pinpoint which officer is ultimately responsible. While the CIO holds the top-line position, it’s the CSO’s job to be more intimately familiar with threats and prevention strategies. Some separation of responsibilities may be necessary, but that can put a strain on reporting structures.

“While it may be the CIO’s responsibility to enact the requirements needed to achieve a secure environment, the CSO is ultimately responsible for enabling security,” Harmer said. “CSOs must understand the requirements laid out by the CIO and are responsible for providing the most effective, easily integrated and cost-effective security solutions. Separation of CIO and CSO responsibility is fundamental and should be implemented by default.”

Traditionally, the CIO sits at the top of the organization, and the CSO reports to the CIO or chief financial officer (CFO). “This is flawed and a direct conflict of interest,” Harmer explained, “as it is the responsibility of the CSO to ensure the CIO implements the technical and organizational measures needed to confirm security of the environment.”

The conflict Harmer described is real and not easy to overcome. Both the CIO and CSO need to guide enterprise strategies with security as a top priority. They must also make decisions about how to split resources between business initiatives and security, which can make for contentious budget struggles.

Alternative Scenarios

Are there any other options? Harmer offered one alternative scenario in which the CSO reports directly to the CFO, who is obligated to provide other services to the organization along the same lines, such as financial auditing. The most effective reporting structure, however, in which the CSO reports to the chief revenue officer (CRO), is enabled by cloud-based delivery models, he said.

“The CRO’s obligation to customers and users through the contract and renewal process gives the CSO objectivity to review the CIO’s operations from a customer’s perspective with no internal weight on the decision, such as the CSO’s bonus, career path or performance review,” Harmer explained. “This requires an equal and strong partnership with the CSO and CIO as peers.”

The CRO position is evolving and doesn’t exist at all companies. For this reason, it’s difficult to identify the CRO as an established, top-line role that should assume responsibility and issue guidance for security. The scenario in which CSOs report to CROs may be a future trend, but it sidesteps more well-established reporting structures that include the CIO, chief executive officer (CEO) and CFO.

Heads in the Cloud

It makes sense to move security management to cloud providers, especially for small or midsize companies that lack the full set of resources to assure total enterprise security. As provider validation becomes more reliable, it may be feasible to move the CSO’s responsibility to a lower tier of management that requires a less detailed understanding of daily security issues.

“Cloud vendors must ensure processes and operational transparency, allowing customers to feel like they are an integral part of the organization,” Harmer said. “Customers must also be able to ‘trust but verify’ with cloud solutions, allowing them to clearly see if the expectations of the relationship have been met.”

In this scenario, reporting structure may be a less important decision. The reporting lines of today are more likely to be defined by how the organization sees its existing and future structure, as well as the individual strength of its current C-level executives.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…