Move the CSO to a Different Place on the Security Org Chart
The chief information officer (CIO) may be in charge of the data, but who is responsible for enabling security? Where is the dividing line between the responsibilities of the CIO and those of the chief security officer (CSO)? Should there even be a dividing line?
We posed these questions and more to Bil Harmer, a strategist working in the office of the chief information security officer (CISO) at Zscaler, a cloud-based information security company, and came away with his experienced take on the security org chart issue.
Shuffling the Security Org Chart
Where does the line blur between the CIO’s responsibilities and those of the CSO? With both CIO and CSO aiming at the front line of the business, it may be difficult to pinpoint which officer is ultimately responsible. While the CIO holds the top-line position, it’s the CSO’s job to be more intimately familiar with threats and prevention strategies. Some separation of responsibilities may be necessary, but that can put a strain on reporting structures.
“While it may be the CIO’s responsibility to enact the requirements needed to achieve a secure environment, the CSO is ultimately responsible for enabling security,” Harmer said. “CSOs must understand the requirements laid out by the CIO and are responsible for providing the most effective, easily integrated and cost-effective security solutions. Separation of CIO and CSO responsibility is fundamental and should be implemented by default.”
Traditionally, the CIO sits at the top of the organization, and the CSO reports to the CIO or chief financial officer (CFO). “This is flawed and a direct conflict of interest,” Harmer explained, “as it is the responsibility of the CSO to ensure the CIO implements the technical and organizational measures needed to confirm security of the environment.”
The conflict Harmer described is real and not easy to overcome. Both the CIO and CSO need to guide enterprise strategies with security as a top priority. They must also make decisions about how to split resources between business initiatives and security, which can make for contentious budget struggles.
Are there any other options? Harmer offered one alternative scenario in which the CSO reports directly to the CFO, who is obligated to provide other services to the organization along the same lines, such as financial auditing. The most effective reporting structure, however, in which the CSO reports to the chief revenue officer (CRO), is enabled by cloud-based delivery models, he said.
“The CRO’s obligation to customers and users through the contract and renewal process gives the CSO objectivity to review the CIO’s operations from a customer’s perspective with no internal weight on the decision, such as the CSO’s bonus, career path or performance review,” Harmer explained. “This requires an equal and strong partnership with the CSO and CIO as peers.”
The CRO position is evolving and doesn’t exist at all companies. For this reason, it’s difficult to identify the CRO as an established, top-line role that should assume responsibility and issue guidance for security. The scenario in which CSOs report to CROs may be a future trend, but it sidesteps more well-established reporting structures that include the CIO, chief executive officer (CEO) and CFO.
Heads in the Cloud
It makes sense to move security management to cloud providers, especially for small or midsize companies that lack the full set of resources to assure total enterprise security. As provider validation becomes more reliable, it may be feasible to move the CSO’s responsibility to a lower tier of management that requires a less detailed understanding of daily security issues.
“Cloud vendors must ensure processes and operational transparency, allowing customers to feel like they are an integral part of the organization,” Harmer said. “Customers must also be able to ‘trust but verify’ with cloud solutions, allowing them to clearly see if the expectations of the relationship have been met.”
In this scenario, reporting structure may be a less important decision. The reporting lines of today are more likely to be defined by how the organization sees its existing and future structure, as well as the individual strength of its current C-level executives.